Understanding JWT (JSON Web Token): Definition, Mechanism, Structure, and SSO Applications

The article introduces JWT (JSON Web Token) as a compact, URL‑safe token format defined by RFC 7519, designed for transmitting claims between an identity provider and a service provider, especially in distributed single sign‑on (SSO) scenarios.

It outlines typical use cases for JWT, such as authorization (lightweight SSO without server‑side session storage) and secure information exchange between services, emphasizing its stateless nature.

Traditional session authentication is described with a step‑by‑step flow, illustrated by the following code snippet:

1、用户向服务器发送用户名和密码。<br/>2、服务器验证通过后，在当前对话（session）里面保存相关数据，比如用户角色、登录时间等等。<br/>3、服务器向用户返回一个 session_id，写入用户的 Cookie。<br/>4、用户随后的每一次请求，都会通过 Cookie，将 session_id 传回服务器。<br/>5、服务器收到 session_id，找到前期保存的数据，由此得知用户的身份。

The limitations of session‑based authentication for scaling and cross‑domain scenarios are discussed, leading to the introduction of JWT as a stateless alternative.

JWT’s three parts—Header, Payload, and Signature—are detailed. The Header example is shown as JSON:

{
  "alg": "HS256",
  "typ": "JWT"
}

The Payload contains standard registered claims (iss, exp, sub, aud, nbf, iat, jti) and can include custom fields, e.g.:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

The Signature is generated using HMAC‑SHA256 over the Base64URL‑encoded Header and Payload with a secret key, as expressed by the formula:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

All three parts are concatenated with dots to form the final token, which can be transmitted via HTTP Authorization header: Authorization: Bearer <token> Base64URL encoding replaces ‘+’, ‘/’, and ‘=’ characters to make the token URL‑safe.

The article then presents a typical JWT authentication flow, comparing it with session authentication, and shows diagrams of the process.

It also explains the concept of Access Token and Refresh Token, their lifetimes, and how they cooperate: the client obtains both tokens from the authentication server, uses the Access Token to call resource servers, and refreshes it with the Refresh Token when it expires.

Finally, the article provides practical guidance on integrating JWT in a project, including creating a helper library, adding an interceptor to validate tokens, and setting the token in response headers.