Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why do you use base64 URL encoding with JSON web tokens?

Tags:

hash

base64

jwt

base64url

The Scenario:

I'm reading about JSON web tokens at this link (https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec). It outline how to create a JSON web token, you create a header and a payload, and then create a signature using the following pseudocode:

data = base64urlEncode( header ) + “.” + base64urlEncode( payload )
hashedData = hash( data, secret )
signature = base64urlEncode( hashedData )

My Question:

Why does the pseudocode use base64urlEncode when creating data and signature?

Scope Of What I Understand So Far:

Base64 allows you to express binary data using text characters from the Base64 set of 64 text characters. This is usually used when you have a set of data that you want to pass through some channel that might misinterpret some of the characters, but would not misinterpret Base64 characters, so you encode it using Base64 so that the data won't get misinterpreted. Base64 URL encoding, on the other hand, is analogous to Base64 encoding except that you use only a subset of the Base64 character set that does not include characters that have special meaning in URLs, so that if you use the Base64 URL encoded string in a URL, its meaning won't get misinterpreted.

Assuming my understanding there is correct, I'm trying to understand why base64urlEncode() is used in computing data and signature in the pseudocode above. Is the signature of a JSON web token going to be used somewhere in a URL? If so, why is data base64urlEncoded as well before hashing. Why not just encode the signature? Is there something about the hash function that would require its data parameter to be Base64 URL encoded?

like image 652
gkeenley Avatar asked Jun 21 '19 22:06

gkeenley

1 Answers

When using the OAuth Implicit Grant, JWTs may be transferred as part of URL fragments.

That is just an example, but I guess in general it was presumed that JWTs might be passed through URLs, so base64urlEncodeing them makes sense.

The first line of the IETF JWT standard abstract even says: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

(Note that the OAuth Implicit Grant is no longer recommended to be used.)

like image 105
Otto Avatar answered Oct 06 '22 03:10

Otto
Sign in to Comment

Related questions

How can I hash a file on iOS using swift 3?
ruby: how to convert hash into array
md5 decoding. How they do it?
How to Hash Value in Flutter Using SHA256?
How can I make hash key lookup case-insensitive?
How to generate partial checksum of a file
How to define a method in ruby using splat and an optional hash at the same time? [duplicate]
Remove key/value pair from array of hashes
How can I create a unique 7-digit code for an entity?
Java - Make an object collection friendly
Django: set_password isn't hashing passwords?
Are salts useless for security if the attacker knows them?
Can I be sure the built-in hash for a given string is always the same?
Bcrypt for password hashing because it is slow?
Can an MD5 hash have ONLY numbers or ONLY letters in it?
How can I determine if a Perl hash contains a key mapping to an undefined value?
Facebook login, problem with hash key - Flutter , How to generate Facebook Hashkey in flutter?
How can I hash a string with SHA256 in JS?
Why does this map statement in Perl not compile?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!