- Welcome to Part 4 of the Authentication & Identity Security series.
- This article explains JWT, access tokens, refresh tokens, and bearer tokens.
- Designed for Middleware, DevOps, Cloud, API, and Application Support Engineers.
- Includes enterprise examples using APIs, Docker, Azure Entra ID, API Gateway, and modern authentication flows.
Table of Contents
Introduction
In Part 3, we learned the difference between stateful and stateless applications. Traditional enterprise applications commonly use sessions and JSESSIONID, while modern applications and APIs commonly use tokens.
One of the most popular token formats used in modern authentication is JWT.
JWT stands for JSON Web Token.
What is JWT?
JWT, or JSON Web Token, is a compact and signed token format used to securely exchange information between a client and a server.
A JWT can carry identity and authorization information such as:
- User ID
- Email address
- User role
- Issuer
- Audience
- Token expiry time
JWT is commonly used in APIs, microservices, cloud applications, mobile applications, and Single Sign-On systems.
Why JWT is Used
JWT is widely used because it supports stateless authentication. The application does not need to store the user session in server memory.
- Useful for REST APIs
- Works well with Docker-based applications
- Supports microservices architecture
- Easy to validate at API Gateway level
- Used by OAuth2 and OpenID Connect flows
- Used by identity providers such as Azure Entra ID
JWT helps applications scale horizontally because any backend server can validate the token without depending on server-side session memory.
JWT Structure
A JWT contains three parts separated by dots.
Header.Payload.Signature
Example JWT format:
xxxxx.yyyyy.zzzzz
1. Header
The header contains token type and signing algorithm.
{
"alg": "HS256",
"typ": "JWT"
}
2. Payload
The payload contains claims. Claims are information about the user or token.
{
"sub": "pradeep",
"role": "admin",
"iss": "https://login.company.com",
"aud": "api.company.com",
"exp": 1789459200
}
Common JWT Claims
| Claim | Meaning |
|---|---|
| sub | Subject or User ID |
| iss | Issuer of the token |
| aud | Audience or target application |
| exp | Token expiry time |
| iat | Issued at time |
| role | User role or permission |
3. Signature
The signature is used to verify that the token has not been modified.
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
JWT payload is encoded, not encrypted by default. Do not store passwords, secrets, or sensitive personal data inside JWT payload.
How JWT Works
User │ ▼ Login Request │ ▼ Authentication Server │ ▼ Credentials Validated │ ▼ JWT Generated │ ▼ JWT Returned To Client │ ▼ Client Sends JWT With API Requests │ ▼ API Validates JWT │ ▼ Access Granted
Step 1: User Login
POST /login username=pradeep password=********
Step 2: JWT Returned
{
"access_token": "eyJhbGciOiJIUzI1NiIs..."
}
Step 3: API Request With JWT
GET /api/customer Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
The API validates the token signature, expiry, issuer, audience, and claims before allowing access.
Is JWT Generated Every Time?
No. JWT is not generated for every API request.
A JWT is usually generated once during successful login or authentication. The same token is reused for multiple API requests until it expires.
Login │ JWT Generated Once │ Same JWT Sent With Every API Request │ Token Expires │ New Token Required
When is a New JWT Generated?
- When the user logs in again
- When the access token expires and a refresh token is used
- When the authentication server rotates or renews tokens
- When the user signs out and signs in again
The client sends the same JWT with every request using the Authorization header until the token expires.
Access Token, Refresh Token & Bearer Token
| Token Type | Purpose | Typical Lifetime |
|---|---|---|
| Access Token | Used to access APIs and protected resources | Short-lived |
| Refresh Token | Used to get a new access token | Longer-lived |
| Bearer Token | Token sent in Authorization header | Depends on token expiry |
Bearer Token Example
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Bearer means whoever has the token can use it. That is why token storage and transport security are very important.
Enterprise Middleware Example
Traditional Session-Based Application
Browser │ JSESSIONID Cookie │ IBM HTTP Server │ WebSphere / JBoss / Tomcat │ Session Stored in JVM Memory
This is commonly used in traditional enterprise web applications.
Modern JWT-Based API
Client Application │ Authorization: Bearer JWT │ API Gateway │ Backend API / Microservice │ Token Validated
This is commonly used in APIs, microservices, Docker deployments, and cloud-native applications.
Azure Entra ID Example
Azure Entra ID can act as an identity provider and issue tokens after successful authentication.
User │ ▼ Application │ ▼ Azure Entra ID Login │ ▼ MFA / Conditional Access │ ▼ Access Token Issued │ ▼ Application Calls API
The API validates the token issued by Azure Entra ID before allowing access to protected resources.
Azure Entra ID tokens are commonly used for Microsoft 365, Azure Portal, enterprise applications, APIs, and Single Sign-On integrations.
JWT Security Best Practices
- Always use HTTPS to protect tokens in transit.
- Keep access tokens short-lived.
- Use refresh tokens carefully and store them securely.
- Validate token signature on every request.
- Validate issuer and audience claims.
- Never store passwords or secrets inside JWT payload.
- Use secure storage for tokens in browser or mobile applications.
- Rotate signing keys periodically.
- Use API Gateway or identity middleware for centralized validation.
Session vs JWT
| Point | Session | JWT |
|---|---|---|
| Architecture | Stateful | Stateless |
| User Data | Stored on server | Stored as token claims |
| Identifier | JSESSIONID | Bearer Token |
| Scaling | Needs sticky session or replication | Easier horizontal scaling |
| Common Use | Traditional web apps | APIs and microservices |
| Example Platform | WebSphere, JBoss, Tomcat | API Gateway, Docker, Cloud APIs |
Common JWT Issues
| Issue | Possible Cause |
|---|---|
| 401 Unauthorized | Token expired or invalid |
| Invalid signature | Wrong signing key or modified token |
| Audience validation failed | Token issued for different API |
| Issuer validation failed | Wrong identity provider configured |
| Token too large | Too many claims added |
| Token theft risk | Insecure storage or missing HTTPS |
Key Takeaways
- JWT stands for JSON Web Token.
- JWT contains Header, Payload, and Signature.
- JWT is commonly used for stateless authentication.
- A JWT is usually generated during login and reused until expiry.
- Access tokens are used to access APIs.
- Refresh tokens are used to get new access tokens.
- Bearer tokens are sent in the Authorization header.
- JWT is widely used in APIs, Docker applications, cloud platforms, and microservices.
What’s Next?
Part 5 – JWT vs Session vs Cookies
In the next article, we will compare JWT, sessions, and cookies in detail and understand when to use each approach in enterprise applications.
Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog:
MiddlewareBox.com
No comments:
Post a Comment