Trading Networks 10.3 | Administering and Monitoring B2B Transactions | Integration Server Administrator's Guide | Configuring Integration Server to Use JWT | Overview of JWT
 
Overview of JWT
JSON Web Token (JWT) is a JSON-based standard (RFC 7519) that provides a secured means of exchanging claims between two parties. JWT represents claims in a compact format, which is intended for space constrained environments such as HTTP authorization headers. JWT encodes claims as JSON objects, which is used as the payload in a JWT.
JWT authentication is stateless as the user state is never saved in the server memory. JWTs are self-contained, that is, it contains all the necessary information about the user.
JWT Structure
The JWT structure is comprised of the following elements:
*Header. Identifies the token type and the hashing algorithm used. In this case the token type is JWT.
*Payload. Contains the JWT claims. Claims are statements about an entity (user) and the additional metadata that a user wants to transmit to server. Following are the types of claims:
*Registered claims. Set of predefined claims that are not mandatory but recommended.
*Public claims. Set of user defined claims.
*Private claims. Set of custom claims created to share information between parties that agree on using them.
*Signature. Ensures the integrity of the JWT header and payload.
Therefore, a JWT looks like: header.payload.signature.
Registered Claims
Registered claims are registered in the IANA JSON Web Token Claims registry. Following are some of the commonly used registered claims:
Claim Name
Description
iss
Issuer
Identifies the principal that issued the JWT.
sub
Subject
Identifies the principal that is the subject of the JWT.
aud
Audience
Identifies the recipients that the JWT is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim.
exp
Expiration Time
Identifies the expiration time on or after which the JWT cannot be accepted for processing.
nbf
Not Before
Identifies the time before which the JWT must not be accepted for processing.