JWTs: Beyond the Buzzwords - What You Really Need to Know
JWT
April 16, 2024

JWTs: Beyond the Buzzwords - What You Really Need to Know

Let's talk Json Web Tokens aka JWT, shall we? Not just a surface level skim, but a much needed deep dive. You've probably already worked with them, and maybe even fought a JWT-fueled fire drill it the past. But are we really doing our bit in squeezing all the juice out of these little JSON nuggets? Let me tell you something ...let me tell you something - there's a whole damn universe inside a JWT just waiting to be explored and we are going to do just that!

Decoding the Damn Thing

Think of a JWT like a self-contained, digitally signed and verifyable envelope. It's all about secure, portable data for your applications. Three parts, each separated by dots: Header, Payload, and the Signature. Sounds simple enough, right? Well, to no one's surprise the devil's in the details. Let's peel back the layers and explore them.

Anatomy of a JWT

Here’s a JWT broken down, piece by piece. We'll get into what each part really means:

// Header (Base64Url encoded)
{
  "alg": "HS256",       // Specifies the algorithm
  "typ": "JWT"          // Just letting everyone know it's a JWT - standard practice
}

.

// Payload (Base64Url encoded) - This good stuff
{
  "sub": "user123",     // Subject - who this token is about
  "name": "John Doe",   // User's name - or whatever you want to store
  "exp": 1678886400,    // Expiration time - crucial for security
  "roles": ["admin", "editor"] // User roles - for authorization magic
}

.

// Signature (Base64Url encoded) - The cryptographic seal of approval
HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret // Keep this REALLY secret - like your Netflix password
)

Decoding a Real JWT

Enough of the theory! Let's get practical. Here's an actual encoded JWT as it would appear in the wild (don't worry, the secret's fake):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

You can decode this using quite a few standard library like jsonwebtoken in Node.js (version 16.x.x as of this writing):

const jwt = require("jsonwebtoken");

const token =
  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";

try {
  const decoded = jwt.verify(token, "your-256-bit-secret");
  console.log(decoded);
} catch (err) {
  console.error("Invalid token:", err);
}

Signing Ceremony: Choosing Your Cryptographic Weapon Wisely

The beauty of JWT is in the signing algorithm. It is very critical and not the area where you slack off. It’s one of assets in your digital fortress against token forgery. HS256 (HMAC with SHA-256) is relatively fast while also using a shared secret. This is great for internal systems where you control both the ends. But if that secret ever makes it's way out of the walled garden, you're toast. As an alternative, RS256 (with SHA-256) makes use of a public-private keyspair. It bring in much stronger security and thus making it ideal for external APIs as well as distributed systems. This however comes with a performance cost of working with RSA.

Choosing the right algorithm is always a balancing act – security versus speed. There's never a one-size-fits-all, especially when the topic at hand is security. You have to consider your applications context in the larger ecosystem, your exposure, the application's blast radius, the target audience and their willingness to invest into breaking your mechanisms. Ask yourself - are you dealing with highly sensitive data? What is your performance budget? Are you ready to spend the next 7 weekends looking at signatures?

JWT Superpowers: Beyond Just Simple Authentication

While JWTs are often just used as digital bouncers checking IDs at the door but they are much much more than just that. Fine-grained authorization? Let's go! You can simply embed roles and permissions directly in the payload. Skip all that redundant database trips. Have a need for single sign-on (SSO)? JWTs can make that happen without even a sweat. Letting users slide between services without much friction. Do I hear - Auditing? logging? Inspect theJWT claims to track user activity like a hawk.

Performance Anxiety: Taming JWTs at Scale

I hate to do this but there's bad news as well - JWTs do end up adding overhead and this overhead is not negligible. At scale, that overhead can become a real pain in the app. Keeping your payloads concise and to the bare minimum can make a really big difference. Think about how frugally you pack for a trip - only the essentials and not even a napkin more. Every extra byte eventually adds up. Signature verification is computationally expensive, and so caching them appropriately can be your friend. With that now you have an additional caching layer to deal with. And remember, while statelessness has it's own perks, it also makes revocation a lot more tricky. Short expiration times and a blacklist cache at the host of more computational power can help you sleep at night, that is if at all in the first place.

JWT vs. The World

JWTs, while fun aren’t the only name in town. Opaque tokens are much simpler to use and revocable by design but require server-side storage. We also have the good old session cookies which are easy to manage but can struggle with scalability in any size of distributed workloads. How can we forget the API keys which while great for service-to-service communication, lacks the granular control tha today's complex app need. In the end, choosing the right authentication mechanism depends on your application's specific needs and the enviornment that it'll operate in. It's always agood idea to not follow the hype. Take the day off, get a cup of cooffee and think it through.

JWT in the Wild: Tales from the Trenches

Case Study 1: The Exploding Payload: I once inherited a service that crammed everything under the sun into the JWT payloads - think user data, preferences, the kitchen sink. While it worked great initially, even giving a false sense of security that the developers have reduced the DB roundtrips and with that improved the users experience. But as the tale goes - the application scaled and these very massive tokens crippled performance. Network calls became sluggish, users complained, costs skyrocketed. Lesson learned: keep payloads lean and mean!

Pitfall 1: The "none" Algorithm Nightmare: Let me be very clear here - never, ever, ever ever, ever ever ever ever even think of using the "none" algorithm! Not even when "testing on the local", definately not on the "test env". It disables signature verification altogether, making your JWTs as secure as a screen door on a submarine. While a rookie mistake, I’ve seen it happen in real customer facing apps. Don't be that person for a change.

Wielding JWTs Effectively

JWTs are powerful tools - no questions on that. But they require some careful considerations. Understand their strengths and weaknesses, and only then choose the right signing algorithm for your specific security and performance needs. Always be mindful of performance, especially at scale. When used correctly, they can enhance your application's security and user experience. Used incorrectly, they can be a source of not only headaches but also the even more expensive - vulnerabilities. So choose wisely, my friend.

What are your experiences with JWTs, especially at scale? Do share them! Let's learn from each other.