Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is a JWT split into three dot-delimited parts?

Tags:

jwt

A JSON Web Token (JWT) is split into three Base-64-encoded parts, which are concatenated by periods ("."). The first two parts encode JSON objects, the first of which is a header detailing the signature and hashing algorithm, and the second contains the assertions. The third is binary data that is the signature itself.

My question is: why is the JSON Web Token split into three separate parts like this? It seems like it would have made parsing them a lot easier to have encoded them as a single JSON object, like so (the example below is incomplete for brevity's sake):

{
    "header": {
        "alg": "rsa"
    },
    "assertions": {
        "iss": "2019-10-09T12:34:56Z"
    },
    "sig": "qoewrhgoqiethgio3n5h325ijh3=="
}

Stated differently: why didn't the designers of JWT just put all parts of the JWT in a single JSON object like shown above?

like image 998
Jonathan Wilbur Avatar asked Dec 31 '22 14:12

Jonathan Wilbur


1 Answers

IMHO, it would bring cause more issues. Yes you could parse it nicely, but what about verification of signature?

The Structure of a JWT is <B64 String>.<B64 String>.<B64 String>. Signature is basically the 2 first parts signed. It is unlikely that the structure will be modified by various frameworks in any way.

Now consider JSON: during serialisation and deserialisation the order of elements may chang. Object {"a":1,"b":2} and {"b":2,"a":1} might be equal in javascript but if you stringify them, they will generate different signatures.

Also, to check the signature you would need to decide upon a standard form of JSON that will be used to generate signature (for instance, beautified or minified). Again, different choices will generate different signatures.

As a result there are more hassles than benefits from simply using JSON

like image 139
user902383 Avatar answered Jan 05 '23 05:01

user902383