Try OpenEdge Now
skip to main content
New Information
Progress Application Server for OpenEdge : Authentication with OAuth2 and JWT : JSON Web Tokens (JWT)
 

JSON Web Tokens (JWT)

A JWT (JSON Web Token), while not part of the OAuth2 standard, is commonly used as the physical structure for a Self-contained Access Token (described above). A JWT holds a Resource Owner’s identity, Client identity, issuing & expiration timestamps, and scopes used by Resource Server’s authorization process. Other Authorization Server defined claims (aka JSON fields) may be added by a vendor's implementation. A JWT is a Base64 encoded value that contains three sub-structures that describe the data-integrity signature algorithm, the user’s identity claims, and the data-integrity signature. Each sub-structure is delimited by a period ('.') character.
Structure Name
Description
Header
Contains information about the JWT payload's and data integrity signature structures
Payload
Contains multiple JWT claims (JSON fields) that describe an authenticated user's id, issuing & expiration timestamps, scope, client ID, and other values
Signature
Contains a binary digital signature of the Header & Payload structures, that is produced using the signature algorithm type and size contained in the Header
A JWT's payload has a small number of common user identity claim fields, but for the most part is wide-open to customization of what it contains. Common identity claim fields include:
JWT Field Name
Description
Required in JWT token
Required in OAuth2 token
iss
The URI of the AuthorizationServer who issued the JWT token
Yes
Yes
sub
The user-id. For OAuth2 it will be the Resource Owner’s ID
Yes
Yes
aud
The token’s audience of consumers. For OAuth2 this will be the Resource Server's ID
Yes
Yes
client_id
This identified the unique Client ID registered by a Client application with an Authorization Server, and is used by an Resource Server to determine if the issued JWT can be used or not to access Resource Owner data
No
Yes
jti
A unique identifier for this token that may be used to detect replay attacks and establish Client login sessions
optional
optional
iat
The JWT creation date
Yes
Yes
exp
The JWT expiration date, after which it may not be used by a Resource Server
optional
optional
nbf
The JWT validation date, before which it may not be used by a Resource Server
optional
optional
scope
OAuth2 field name that carries a space delimited list of ‘scopes’ that serve to tell a Resource Server what data and operations the Client is authorized to access
Yes
Yes
token_type
OAuth2 field name. Indicates the HTTP Authorization header scheme this token was issued in (typically the ‘bearer’ value )
optional
optional
<other>
Any other Authorization Server provided claims
optional
optional
A JWT's Header may specify one of a set of data-integrity algorithm types based on the JWS standard, which includes HMAC (secret-key) and RSA (public-private key) types.
Header Field Name
Description
Required
alg
The JWS algorithm name used for generating and verifying the JWT's Signature field value ( See the table of JWS signature names)
Yes
typ
The type of Token data format. If not specified it is often defaulted to JWT by most vendor implementations
No
kid
The alias Key-ID name that identifies a keystore entry that contains the encryption key value used by the Resource Server to validate the JWT's Signature field value
No
WS Signature names:
JWS Algorithm Name
Cryptographic Algorithms
Key Size
HS256
HMAC w. SHA
256
HS384
HMAC w. SHA
384
HS512
HMAC w. SHA
512
RS256
RSA signature w. SHA
256
RS384
RSA signature w. SHA
384
RS512
RSA signature w. SHA
512