Reputation: 3764
What is the purpose of the JWT header parameter?
I am sorry for the stupid question but I am novice in the token usage and maybe don't understand something.
I started to read about JWT and I am confused about it's structure. The documentation says that it has three parts:
header
payload
signature
I understand that in payload we keep information and in signature part we keep a signature for payload check. But what is the purpose of the header part? It says that typically it consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.
- If server has signed the token then he knows which method it uses. So, it isn't a helpful information for the server. It will not use this information at all.
- Isn't it a hint for hackers? They will know which method your server uses. I am not sure that it is a good practice for increase a security.
I am apologize if this is a stupid question and in reality we really need to keep information about our method of signature for some purposes but I haven't found the information with explanation why do we need this.
Upvotes: 0
Views: 418
Answers (1)
Reputation: 54038
The producer of the JWT may have several different available methods for protecting it. It may use symmetric or asymmetric keys with a particular algorithm or key length and it may have different keys for each combination. Such information can be included in the header so that the receiver knows which key and algorithm to use to verify and/or decrypt the JWT.
The receiver and the sender may not be controlled by the same party so in that case it is certainly useful information so that the receiver knows how to verify/decrypt the token if there are multiple methods that the sender could have used. But even in the case that it is controlled by the same party, as you seem to imply, it may allow for smooth upgrades in crypto algorithms, keys or key lengths.
Imagine your server rolling over to a new keypair for signing the JWT that it produces and consumes itself. Then you may want to still be able to verify the existing tokens out there - signed with the old key - for a while. In that case you need to know which key was used to sign the JWT when you receive one.
Upvotes: 1
Related Questions
- Why header and payload in the JWT token always starts with eyJ
- Why send JWT tokens in the Authorization header rather than as payload?
- Is there any reason to use HTTP header authorization to send JWT token instead of cookie?
- Explanations on JWT Tokens structure
- JWT authentication. Use "Bearer_$tokenValue" or "Bearer $tokenValue"?
- Why JWT Token signing key is required
- Why Include Header and Payload in JWT Token?
- Why send algorithm in jwt header
- Why should I send token in `Authorization: Bearer ` header?
- What's use of header part of JWT token?