Json Web Token detailed __JWT

Understanding JWT

JSON Web Tokens (JWT) are a standard way of representing security claims between the add-on and the Atlassian host product . A JWT token is simply a signed JSON object which contains information which enables the receiver to authenticate the Sende R of the request. Table of Contents Structure of a JWT token Header claims Signature JWT libraries Creating a JWT token decoding and verifying a JWT token Dec Oding a JWT token verifying a JWT token creating a query string hash advanced:creating a JWT token manually structur E of a JWT token

A JWT token looks like this:

   
   
    
    
     
     
    
    
    
    
     
     
      
      
       
       
        
        
         
         
         
         
          
          
Eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjlehaiojezody4otkxmzesimlzcyi6imppcme6mtu0odk1otuilcjxc2gioii4mdyzzmy0y2exztqxzgy3 Ymm5mgm4ywi2zdbmnjiwn2q0otfjzjzkywq3yzy2zwe3otdindyxngi3mtkymmu5iiwiawf0ijoxmzg2odk4otuxfq.ukqu9dtb6gkwg6jqcuxyaimndfnrw9 8hw_iwua5mamo
         
         
         
         
        
        
       
       
      
      
     
     
     
     
    
    
   
   

Once you understand the format, it's actually pretty simple:

   
   
    
    
     
     
    
    
    
    
     
     
      
      
       
       
        
        
         
         
         
         
          
          
<base64url-encoded header>.<base64url-encoded claims>.<base64url-encoded signature>
         
         
         
         
        
        
       
       
      
      
     
     
     
     
    
    
   
   

In other words:you create a header object, with the JSON format. Then you encode it in Base64url to create a claims object, with the JSON format. Then you encode it in Base64url you create a signature for the URI (we'll get to that later). Then you encode it in Base64url your concatenate the three items, with the "." Separator

You are shouldn ' t actually have to doing this manually, as there are libraries available in most languages, as we describe in the JWT Libraries section. However It is important your understand the fields in the JSON header and claims objects described in the next sections: Header

The header object declares the type of the encoded object and the algorithm used for the cryptographic signature. Atlassian Connect always uses the same values for these. The Typ property would be "JWT" and the Alg property would be "HS256".

1
{
2
"  Typ": "JWT",
3
  "ALG": "HS256"
4
}
          
          
         
         
         
         
        
        
       
       
      
      
     
     
     
     
     
     
      
      
      
      
     
     
    
    
   
   

Attribute	Type	Description
"Typ"	String	Type for the token and defaulted to "JWT". Specifies this is a JWT token
"ALG" (mandatory)	String	Algorithm. Specifies the algorithm used to sign the token. In Atlassian-connect version 1.0 we support the HMAC SHA-256 algorithm, which the JWT specificationidentifies using the St Ring "HS256".

Importantyour JWT Library or implementation should discard any tokens which specify Alg:none as this can provide a Bypas S of the token verification.

claims

The claims object contains security information about the message for you ' re transmitting. The attributes of this object provide information to ensure the authenticity of the claim. The information includes the issuer, when the token is issued, when the token would expire, and other contextual On, described below.

1
{
2
  "ISS": "jira:1314039",
3
  "IAT": 1300819370,
4
  "Exp": 1300819380,
5
"  Qsh": "8063ff4ca1e41df7bc90c8ab6d0f6207d491cf6dad7c66ea797b4614b71922e9",
6
"  Sub": "Batman",
7