profile

The .NET Saturday

Understanding JSON Web Tokens

Published about 1 month ago • 4 min read

Understanding JSON Web Tokens

Read in your browser

Well, 2024 is gone, and wow it was such an amazing year in many aspects, but especially for software developers and AI enthusiasts.

As I look back, here are a few 2024 breakthroughs that I think set the stage for how we will be doing things moving forward:

  • GPT-4o and Claude 3.5 Sonnet enabled more natural and versatile human-AI interactions, significantly changing the way we solve our everyday human problems.
  • AI coding assistants like GitHub Copilot and Cursor are now integrated deeply into our developer workflows, reducing mundane tasks and allowing more focus on creative problem-solving.
  • NVIDIA's market value went beyond $3 trillion, reflecting how tech giants like Microsoft, Google, and Amazon can no longer live without their powerful AI chips.
  • Microsoft's 365 Copilot, their Azure cloud, and all their developer tools are now heavily powered by a myriad of OpenAI services, reshaping human productivity and innovation at all levels.
  • .NET Aspire achieved not 1 but 2 major releases, reflecting the increasing demand for better tooling for cloud-native development with a strong focus on Azure.

2025 is only going to get better, but boy, things are moving so fast!

Today I want to dive into JWTs (JSON Web Tokens), and the key role they play in today's web app security infrastructure.

Let's dive in.

What is a JSON Web Token (JWT)?

Think of a JWT (pronounced "jot") like a digital VIP pass at a concert. Just as a VIP pass contains information about who you are and what areas you can access, a JWT contains claims about a user and their permissions.

The key difference is that a JWT is cryptographically signed, making it tamper-proof.

To be more specific:

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

Now, before looking at real JWTs, I think it's good to understand the concept of a claim.

What is a claim?

In our VIP pass, we have several pieces of information about the pass holder:

Each of these pieces of information is like a "claim" in JWT terms.

A claim is a statement about an entity (typically, the user) and additional data.

Think about it this way: When Thomas shows his VIP pass to a security guard, that pass is making several claims on his behalf:

  • The name claim: "I am Thomas A. Anderson"
  • The access level claims: "I have permission to enter the backstage area," "I can enter the green room," "I can attend the soundcheck"
  • The time validity claim: "My privileges are valid until December 31, 2025"

In a JWT, claims work the same way. When your application presents a JWT to a server, it's like Thomas showing his VIP pass, which makes specific claims about Thomas and his granted access.

But what do these JWTs look like?

What's in a JWT?

JWTs follow a 3 part structure:

So there we got:

  • The Header, which contains information about the type of token and how it was signed
  • The Payload, which contains all the transmitted claims
  • The Signature, which is calculated from the encoded header and payload, an added secret, and the hashing algorithm specified in the header.

Now if you decode the payload of a JWT, as your Web app will do, you will get something like this:

So it's just a list of claims related to Mr. Anderson and the access given to him in the system.

To explain a few important ones:

  • sub: The unique ID of Thomas in the system
  • iss: The URL of the authorization server that issued the token
  • scope: The type of access granted to the app, on behalf of Thomas, to use our backend API
  • role: The business role assigned to Thomas
  • email: Thomas's registered email

But how are these JWTs used in real life and who creates them?

Token-based Authentication

Let's say you have a backend API that gates access to everything related to the concert venues and that Thomas wants to securely check all that info from his phone.

Here is where we would use what is known as token-based authentication:

Token-based authentication is a security mechanism in which a client authenticates itself to a server by presenting a unique token, which serves as a temporary credential to access
protected resources.

It works like this:

  1. Thomas Requests Authorization: Thomas logs in through the mobile app to request access to concert details.
  2. Authorization: The authorization server checks Thomas’s credentials and approves his login.
  3. JWT Issued: The authorization server issues a JWT with all the claims that confirm the kind of access Thomas has been granted.
  4. API Request: The mobile app sends a request to the Concert Gate API attaching the issued JWT as a header.
  5. API Validates JWT: The API verifies the JWT for validity, expiration, and permissions.
  6. API Responds: The API returns the requested concert details to the mobile app.

Now, how do you deal with these JWTs in your ASP.NET Core APIs? Let's tackle that in next week's newsletter.

And, if you need to learn how to configure Keycloak, a popular open-source authorization server, to authenticate your users and generate JWTs, I go over all those details (and lots more) in the bootcamp.

New ASP.NET Core Security course: recording complete!

Earlier this week I finished recording course 3 of the bootcamp: ASP.NET Core Security and, as expected, it ended up being the largest course in the bootcamp yet.

This course is a bit longer to make sure you are ready to answer questions like:

  • How does ASP.NET Core validate and extract info from the JWTs attached to your requests?
  • How do OAuth 2.0 and OpenID Connect (OIDC) work?
  • How to read and transform claims?
  • What are and how to use different authentication schemes?
  • How to implement different types of authorization policies based on JWT claims?
  • How can a full-stack application integrate with Keycloak to offload user login and registration and enable OIDC?

And tons of other stuff, including a mini-course on Docker for students new to that popular tech.

I'm now going through all the post-production work, which ended up being a bit more than anticipated, but if all goes well this course should be ready for all bootcamp students by January 14.

Now, back to work.

Until next time!

Julio

Whenever you’re ready, there are 3 ways I can help you:

  1. .NET Cloud Developer Bootcamp:​ Everything you need to build production-ready .NET applications for the Azure cloud at scale.
  2. Ultimate C# Unit Testing Bundle: A complete beginner to advanced C# unit testing package to write high-quality C# code and ship real-world applications faster and with high confidence.
  3. Promote yourself to 20,000+ subscribers by sponsoring this newsletter.

11060 236th PL NE, Redmond, WA 98053
Unsubscribe · Preferences

The .NET Saturday

by Julio Casal

Join 20,000+ subscribers for actionable .NET, C#, Azure and DevOps tips. Upgrade your skills in less than 5 mins every week.

Read more from The .NET Saturday

Fixing Claims the Right Way Read in your browser It's flu season in the US and after my 5yo went down with a cold, sure enough, one of my other kids followed and then it got me. So it's been a tough week, but hope to be recovering by the time you read this. On top of that, seems like it's time for a full Windows reinstall because this box has been giving me so much trouble lately. But before getting into that adventure, I thought it would be best to finish this newsletter, where I'll cover a...

11 days ago • 3 min read

Avoiding The DIY Authentication Trap Read in your browser With Course 3 of the bootcamp finally launched, I'm now switching gears to Course 4, which will be all about deploying .NET apps to the Azure cloud, one of the most exciting parts of the bootcamp. One key thing you need to master before doing any sort of cloud development is Docker, which I believe most developers are not using yet. That's why I spent most of this week working on tons of new Docker-specific content, learning a few new...

18 days ago • 6 min read

IsAuthenticated Is Not About The User Read in your browser A few days ago I finished the audiobook version of Nexus, the latest book by Yuval Noah Harari, and wow, it's such an impressive take on the impact of AI in our society and what could come next. One potential scenario mentioned in the book is the creation of AI-powered social credit systems, where governments or organizations score individuals based on their behaviors, decisions, and interactions. Governments today are already...

25 days ago • 5 min read