If you’ve ever wondered how JWT (JSON Web Token) signatures are created behind the scenes, this guide is for you. We’ll break down the process of manually creating HS256 JWT signatures. Let’s dive into the magic behind JWT signing!
Mastering in JSON Web Token ( JWT )
Understanding JWT Algorithms: HS256, RS256, and None
How to use JWT Token Safely
What is HS256 algorithm ?
HS256 stands for HMAC (Hash-based Message Authentication Code) using the SHA-256 hashing algorithm. It is a symmetric algorithm, which means the same secret key is used for both signing and verifying the token.
What is a Signature?
A signature is a way to ensure that a message (or token) has not been altered and comes from a trusted source. When we sign a JWT, we create a unique string based on the header and payload, which can be verified later.
Creating an HS256 Signature Manually:
- Step 1: Prepare Your Header and Payload
First, we need to create the header and payload. The header for HS256 looks like this:
{
"alg": "HS256",
"typ": "JWT"
}The payload can contain any claims you want. For example:
{
"sub": "1234567890",
"name": "InfoSecSecure",
"iat": 1516239022
}- Step 2: Base64Url Encode the Header and Payload
Next, we need to convert the header and payload into a Base64Url format. This is similar to Base64 encoding but replaces + with – and / with _, and it also removes any trailing = characters.
Header Base64Url value: eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9
Payload Base64Url value: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9.
- Step 3: Create the Signature
Run the following command to generate the signature part:
echo -n "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9" \
| openssl dgst -sha256 -hmac 'Follow InfoSecSecure' -binary | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' | sed -E 's/=+$//'
After running this entire command, you will get the HS256 signature for your JWT. This signature can then be appended to your JWT to create a complete token that can be sent to clients or used for authentication.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkluZm9TZWNTZWN1cmUiLCJpYXQiOjE1MTYyMzkwMjJ9.sUG3INFSEwgb14-wXuM1V9OLx_xBjMHlfbaJR6cmSO4This signature is what ensures the integrity and authenticity of your JWT. When someone receives the JWT, they can use the same secret key to verify that the token has not been tampered with.
Security Considerations:
- Secret Key: The security of HS256 relies on the secrecy of the key. If the key is compromised, an attacker can forge valid tokens.
- Key Length: Use a sufficiently long and random secret key to enhance security.
- Token Expiration: Implement token expiration to limit the lifespan of a token and reduce the risk of misuse.
HS256 is widely used due to its simplicity and efficiency, but it is important to consider the security implications and best practices when implementing JWTs in your applications.