Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why do you use base64 URL encoding with JSON web tokens?

The Scenario:

I'm reading about JSON web tokens at this link (https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec). It outline how to create a JSON web token, you create a header and a payload, and then create a signature using the following pseudocode:

data = base64urlEncode( header ) + “.” + base64urlEncode( payload )
hashedData = hash( data, secret )
signature = base64urlEncode( hashedData )

My Question:

Why does the pseudocode use base64urlEncode when creating data and signature?

Scope Of What I Understand So Far:

Base64 allows you to express binary data using text characters from the Base64 set of 64 text characters. This is usually used when you have a set of data that you want to pass through some channel that might misinterpret some of the characters, but would not misinterpret Base64 characters, so you encode it using Base64 so that the data won't get misinterpreted. Base64 URL encoding, on the other hand, is analogous to Base64 encoding except that you use only a subset of the Base64 character set that does not include characters that have special meaning in URLs, so that if you use the Base64 URL encoded string in a URL, its meaning won't get misinterpreted.

Assuming my understanding there is correct, I'm trying to understand why base64urlEncode() is used in computing data and signature in the pseudocode above. Is the signature of a JSON web token going to be used somewhere in a URL? If so, why is data base64urlEncoded as well before hashing. Why not just encode the signature? Is there something about the hash function that would require its data parameter to be Base64 URL encoded?

like image 652
gkeenley Avatar asked Jun 21 '19 22:06

gkeenley


1 Answers

When using the OAuth Implicit Grant, JWTs may be transferred as part of URL fragments.

That is just an example, but I guess in general it was presumed that JWTs might be passed through URLs, so base64urlEncodeing them makes sense.

The first line of the IETF JWT standard abstract even says: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

(Note that the OAuth Implicit Grant is no longer recommended to be used.)

like image 105
Otto Avatar answered Oct 06 '22 03:10

Otto