Introduction

The main goal of JSON Web Tokens (JWT)1 is to provide an open and secure way for representing claims between two parties. Extending upon this concept, there are multiple implementations using JWT as the basis for user authentication and access control. In this section, we provide a quick overview about the basics of these approaches and outline their main benefits, as well as their disadvantages. Furthermore, we identify those application scenarios where these solutions may prove to be ideal.

In the “Problem statement” section, we delve into the open problems hindering the JWT-based approaches, followed by the brief descriptions of some initial attempts at solving them.

In the “Proposed solution” section, we propose a new solution for the problems outlined previously. We describe the corresponding principles, detail the behavior, and go through some potential issues and their mitigation.

In the “Comparison of methods” section, we compare all the previously described solutions by various metrics based on models and measurements. We outline the benefits and drawbacks of each solution and analyze their impact on the overall system architecture. We draw conclusions as the result of these and show which should be used in different cases.

Finally, in the “Conclusion” section, we conclude the article by reviewing the results, reiterating their significance and potential uses, and finally outlining some future directions.

JWT-based authentication In a typical JWT-based access control scheme, the initial user authentication is done using a traditional method, for example, providing a username and password combination. Upon successful authentication, the authorization details of the user, such as identifiers, roles, and permissions, are packed into a JWT. The token is then encrypted using a shared encryption key (called the JWT secret) ensuring verifiability at each secured endpoint. This token is passed along each subsequent request by the client (known as a “bearer token”), decrypted and unpacked by the service, and the access control data from the token is retrieved. In the security terminology, we usually call these tokens as access tokens. Accessing a secured resource through this scheme entails the following procedure: The client sends an authentication request using a pre-defined method, such as a username–password combination. The authentication service, after checking the credentials of the user, creates a JWT from the retrieved user authorization data. This token is encrypted using the JWT secret and then returned to the client, but not stored in the server. The client passes along this token with the request to a secured resource. The secured service receives the request, decrypts the attached token, and unpacks the user authentication data from it. Using this information, the request can be authorized or denied, and a proper response is sent. For added user comfort, most solutions integrate another layer of authentication by providing refresh tokens (similar to the concept known from the OAuth protocol).2 These long-lived tokens are assigned upon successful authentication and can be used to request new access tokens. This can be done invisibly to the user, unlike a request for username and password.

Main benefits There are two main benefits of a JWT-based authentication scheme, better scaling/performance and decreased complexity when dealing with distributed systems. The scaling potential comes from the fact that the trusted authentication and authorization information is passed along the communication itself, instead of server-side retrieval. Interpreted from another perspective, this means that the user state data are retrieved from the stable storage upon login and kept in the communication for the duration of the session. The key feature, allowing the transition of state to the communication, is that the client cannot change the information contained in the token. This is ensured using encryption or digital signing and message authentication codes (MACs) as described in the JSON Web Signature document.3 Another advantage is the decreased complexity and decentralization of authorization when dealing with distributed systems. This is can be achieved thanks to the token itself containing all the necessary information, making connections between granting and secured components unnecessary.