Introduction to JWT

In this article

    Completely new to token-based access control? We've got you covered!

    What is JWT anyway?

    JWT is short for JSON Web Token:


    A string representing a set of claims as a JSON object that is encoded in a JWS or JWE, 
    enabling the claims to be digitally signed or MACed and/or encrypted. (RFC7519)

    A JWT has 3 parts: header, payload, signature.

    ID Token

    JWT header

    The header will show that the token type is JWT and which algorithm that has been used to sign it.


    JWT payload

    The payload is the actual data of the JWT. It consists of a list of claims - each claim is a name-value pair.

    A claim can be either standard OpenID Connect or custom (with its own namespace).

      "sub": "",
      "": "5",
      "": "central-superid",
      "": "",
      "": "",
      "": "False",
      "": "Cust26759",
      "": "Tonys Developer Network",
      "": "1801550193",
      "": "",
      "": "",
      "": "SuperOffice DevNet Node OIDC-8k8Q7DmBgo",
      "iat": "1581665207",
      "": "TY",
      "": "",
      "nonce": "637172620046685267.NmU2ZmRjNTctYjU0ZS00ZDRlLThkNjgtOTBlZmY2N2QyYjc3MzYzZWE1YjctYTUxYS00NDM1LWE1YTEtNDEzYTMxNTgxMzA0",
      "nbf": 1581665147,
      "exp": 1581665507,
      "iss": "",
      "aud": "6cf25376616343b38d14ddcd804f2891"

    JWT signature

    Signatures verify that the information was sent from the sender and that the information has not been altered.

    What does it mean to validate tokens?

    1. Is the JWT well-formed (has 3 period-separated sections)? 
    2. Parse the string and extract and B64 decode the components - are they valid JSON?
    3. Is the signature OK?
    4. Are the standard claims OK? Check there is a required sub claim and other OICD claims.
    5. Check the namespace-specific claims.

    If any of these tests fail, the JWT should be rejected and not trusted. 

    Why should I validate tokens?

    Token validation establishes trust for the authentication mechanism:

    • The token was issued by SuperOffice
    • The token was issued to this user
    • That user has granted the application access to the listed operation

    Are all tokens used in SuperOffice CRM Online JWTs?

    No. Only the ID token follows the JWT pattern. 

    Read more: access tokens, refresh tokens, system user tokens, bearer tokens and SOTickets