JWT - JSON Web Token

JWT - JSON Web Token

JWT stands for JSON Web Token. It's a compact, URL-safe means of representing claims to be transferred between two parties. 

JWTs are commonly used for authentication and authorization in web applications and APIs. 

What is JWT?

JSON-Based Token: JWTs are encoded as JSON objects, making them easy to read and parse.

Compact Format: JWTs are designed to be compact, making them suitable for transmission in HTTP headers or URL query parameters.

Self-Contained: JWTs contain all the necessary information about the user or entity in the token itself, reducing the need to query a database or server for user data.

Why Use JWT?

Stateless Authentication: 

JWTs enable stateless authentication, meaning the server doesn't need to store the session state on the server side. Each request includes a token, and the server validates and extracts the necessary information from the token to authenticate the user.

Cross-Domain Authentication: 

JWTs can be shared across different domains, making them suitable for single sign-on (SSO) scenarios where users need to access multiple services with a single authentication.

Security: 

JWTs can be digitally signed and optionally encrypted, providing integrity and confidentiality for the information contained within the token. This helps prevent tampering and unauthorized access to sensitive data.

When to Use JWT?

User Authentication:

JWTs are commonly used for user authentication in web applications and APIs. After a user logs in, the server generates a JWT containing the user's ID, roles, or other claims, which the client includes in subsequent requests to access protected resources.

Authorization: 

JWTs can include authorization information such as user roles or permissions. This allows servers to make authorization decisions based on the claims within the JWT.

Information Exchange: 

JWTs can be used to exchange information securely between different services or components within an application. For example, a server can issue a JWT containing a temporary access token to grant limited access to a resource.

Usage Example

Authentication: 

After a user logs in, the server generates a JWT containing the user's ID and any relevant information. The client receives this JWT and includes it in the `Authorization` header of subsequent requests. The server validates the JWT and extracts the user's ID to authenticate the request.

Authorization: 

The server receives a request with a JWT in the `Authorization` header. It verifies the JWT's signature and extracts the user's roles or permissions from the claims. 

Based on this information, the server decides whether to allow or deny access to the requested resource.

JWTs provide a flexible and secure mechanism for authentication, authorization, and information exchange in web applications and APIs. 

They are widely adopted due to their simplicity, scalability, and suitability for modern distributed architectures.

Achieving stateless authentication and authorization between your front end and back end. 

In a typical setup where you have a microservice architecture with Spring Boot serving as the backend and Angular serving as the frontend, it's common to use JWTs for authentication and authorization. Here's how the process typically works:

User Authentication:

   - When a user logs in to the Angular frontend, the credentials are sent to the Spring Boot backend.

   - The backend verifies the credentials and, if they are valid, generates a JWT containing the user's ID and any necessary user roles or permissions.

   - The backend sends this JWT back to the Angular frontend as part of the login response.

Subsequent Requests:

   - After successful authentication, the Angular frontend stores the JWT locally (e.g., in browser localStorage or sessionStorage).

   - For all subsequent requests to the backend API, the Angular frontend includes the JWT in the `Authorization` header of the HTTP request.

   - The Spring Boot backend intercepts incoming requests and validates the JWT included in the `Authorization` header.

   - If the JWT is valid and contains the necessary user information and permissions, the backend processes the request and sends back the appropriate response.

   - If the JWT is invalid or expired, the backend returns an error response, indicating that the user needs to re-authenticate.

Token Renewal

   - JWTs have a finite expiration time to enhance security. When a JWT is close to expiration, the Angular frontend can request a new JWT from the backend by sending a refresh token (if applicable) or by reauthenticating the user with their credentials.

   - The backend verifies the refresh token or credentials and issues a new JWT with a new expiration time.

By using JWTs in this way, you achieve stateless authentication and authorization between your frontend and backend. Each request from the frontend includes the JWT, allowing the backend to verify the user's identity and permissions without the need for session state on the server-side. This approach is well-suited for microservice architectures and distributed systems, as it allows for scalability and flexibility while maintaining security.

JWTs are typically not stored in databases for later use. JWTs are designed to be self-contained tokens that contain all the necessary information about the user or entity within the token itself. When a user logs in or authenticates, the server generates a JWT containing the user's identity, roles, permissions, and any other relevant claims. This JWT is then sent to the client (e.g., browser) and stored there, commonly in local storage or session storage.

The client sends the JWT back to the server with each subsequent request, typically in the `Authorization` header of HTTP requests. The server then validates the JWT to authenticate the user and extract necessary information from the token to make authorization decisions.

Since JWTs are self-contained and digitally signed (and optionally encrypted), they are tamper-proof. Storing them in a database for later use is unnecessary and can introduce additional complexity and security risks. Instead, if a user needs to be logged out or their access revoked, you typically handle that by expiring the JWT or invalidating it on the server side.

JWT  libraries 

In Angular and Spring Boot applications, there are several libraries commonly used for working with JWTs. Here are some popular ones for each side:

Angular Side:

angular-jwt

 This library provides utilities for working with JWTs in Angular applications. It includes features for parsing, validating, and decoding JWTs, as well as handling token storage and retrieval. It integrates seamlessly with Angular's HttpClient module for including JWTs in HTTP requests.

   - GitHub: [https://github.com/auth0/angular-jwt](https://github.com/auth0/angular-jwt)

ngx-auth 

ngx-auth is another Angular library for handling authentication and JWTs. It provides components and services for managing user authentication, including token handling and storage. It offers features like token refresh, token expiration handling, and interceptor-based HTTP token injection.

   - GitHub: [https://github.com/ngx-auth/core](https://github.com/ngx-auth/core)

Spring Boot Side:

Spring Security JWT: 

Spring Security provides support for JWT-based authentication and authorization through its JWT module. It allows Spring Boot applications to easily integrate JWT authentication with minimal configuration. You can configure Spring Security to authenticate requests based on JWTs, validate token signatures, and extract user information from JWT claims.

   - Spring Security Documentation: [https://docs.spring.io/spring-security/site/docs/current/reference/html5/#jwt](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#jwt)

jjwt: 

jjwt is a popular Java library for working with JWTs. It provides features for creating, parsing, validating, and processing JWTs in Java applications. jjwt is commonly used in Spring Boot applications for handling JWT-based authentication and authorization. It's lightweight and easy to use, making it a popular choice for JWT integration.

   - GitHub: [https://github.com/jwtk/jjwt](https://github.com/jwtk/jjwt)

These libraries simplify the process of working with JWTs in Angular and Spring Boot applications, providing utilities and features to handle authentication, token validation, and token injection in HTTP requests. Depending on your specific requirements and preferences, you can choose the library that best fits your needs for JWT integration in your application.

Compatibility

The Angular and Spring Boot libraries mentioned above for working with JWTs are compatible with each other. They serve different purposes on each side of the application (frontend and backend) and can be used together seamlessly.

Here's how they work together:

Angular Side (Frontend):

Libraries like angular-jwt and ngx-auth are used in Angular applications to handle JWT-related tasks such as token parsing, validation, storage, and inclusion in HTTP requests.

These libraries help Angular applications manage user authentication and securely communicate with the backend by including JWTs in requests to the Spring Boot backend.

Spring Boot Side (Backend):

Spring Security's JWT module and the jjwt library are used in Spring Boot applications to handle JWT-based authentication and authorization.

These libraries allow Spring Boot applications to validate incoming JWTs, extract user information from JWT claims, and authenticate requests based on JWTs provided by the Angular frontend.

When an Angular application sends requests to a Spring Boot backend, it includes JWTs in the Authorization header of HTTP requests. The Spring Boot backend then validates these JWTs using the configured JWT validation mechanism (e.g., Spring Security's JWT support or jjwt library), ensuring that requests are coming from authenticated users and authorizing them based on the information contained within the JWTs.

Alternatives

While JWT (JSON Web Tokens) is a popular choice for authentication and authorization in web applications, there are other alternatives available, each with its own features and use cases. Here are some alternatives to JWT:

1. OAuth 2.0/OpenID Connect: 

OAuth 2.0 is a widely used protocol for authorization, allowing users to grant limited access to their resources without exposing their credentials. OpenID Connect (OIDC) builds on top of OAuth 2.0 to provide authentication capabilities. Instead of containing user information like JWTs, OAuth 2.0 tokens represent access rights. OAuth 2.0 tokens include access tokens for resource access and refresh tokens for obtaining new access tokens.

2. Sessions with Cookies: 

Traditional server-side sessions managed with cookies can also be used for authentication and authorization. When a user logs in, the server creates a session and sets a session cookie on the client side. Subsequent requests from the client include this session cookie, allowing the server to identify the user and maintain session state. While sessions with cookies are stateful, they are simpler to implement and may be more suitable for certain applications.

3. Cryptographic Tokens: 

Cryptographic tokens, such as MAC (Message Authentication Code) tokens and PASETO (Platform-Agnostic Security Tokens), provide authentication and integrity protection without the payload size limitations of JWTs. MAC tokens use symmetric key cryptography to generate a token with a message authentication code, ensuring data integrity. PASETO tokens offer similar functionality to JWTs but with improved security properties and fewer potential vulnerabilities.

4. Reference Tokens: 

Reference tokens are tokens that do not contain user information or access rights directly but instead serve as references to information stored on the server. When a client presents a reference token, the server looks up the associated information to determine access rights and user identity. Reference tokens can be used to reduce token size and provide better separation of concerns between authentication and authorization.

5. Custom Solutions: 

In some cases, custom authentication and authorization mechanisms may be appropriate for specific requirements or constraints. These solutions may involve combinations of cryptographic techniques, session management, and access control mechanisms tailored to the application's needs.

Each of these alternatives has its advantages and trade-offs, and the choice depends on factors such as security requirements, scalability, interoperability, and the specific use case of the application. It's essential to evaluate the pros and cons of each option and choose the one that best fits your application's requirements and constraints.