Login/Register
Why do you use base64 URL encoding with JSON web tokens?
Asked Answered
hashbase64jwtbase64url
E

1

16

The Scenario:

I'm reading about JSON web tokens at this link (https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec). It outline how to create a JSON web token, you create a header and a payload, and then create a signature using the following pseudocode:

data = base64urlEncode( header ) + “.” + base64urlEncode( payload )
hashedData = hash( data, secret )
signature = base64urlEncode( hashedData )

My Question:

Why does the pseudocode use base64urlEncode when creating data and signature?

Scope Of What I Understand So Far:

Base64 allows you to express binary data using text characters from the Base64 set of 64 text characters. This is usually used when you have a set of data that you want to pass through some channel that might misinterpret some of the characters, but would not misinterpret Base64 characters, so you encode it using Base64 so that the data won't get misinterpreted. Base64 URL encoding, on the other hand, is analogous to Base64 encoding except that you use only a subset of the Base64 character set that does not include characters that have special meaning in URLs, so that if you use the Base64 URL encoded string in a URL, its meaning won't get misinterpreted.

Assuming my understanding there is correct, I'm trying to understand why base64urlEncode() is used in computing data and signature in the pseudocode above. Is the signature of a JSON web token going to be used somewhere in a URL? If so, why is data base64urlEncoded as well before hashing. Why not just encode the signature? Is there something about the hash function that would require its data parameter to be Base64 URL encoded?

Excaudate answered 21/6, 2019 at 22:35 Comment(6)
Is base64url encoded because that's what the standard specifies.Recognizance
There is no special character used in the http protocol so safe to use in a web context without additional encoding.Muirhead
It doesn't use a subset of the base64 character set. Instead, it replaces '+' and '/' with '-" and '_'. If it only used a subset, it would be base62 encoding.Chalybite
I'm using JWT to implement password reset links. That means passing a JWT token in a URL. The fact that it's already URL encoded makes that a lot more convenient. I suspect this is why URL encode was chosen.Hah
@Jim Mischel Why does it replace those two characters?Paleogeography
@Paleogeography Because the characters '+' and '/' have special meaning in URLs and filenames. See en.wikipedia.org/wiki/Base64#Variants_summary_tableChalybite
W
2

When using the OAuth Implicit Grant, JWTs may be transferred as part of URL fragments.

That is just an example, but I guess in general it was presumed that JWTs might be passed through URLs, so base64urlEncodeing them makes sense.

The first line of the IETF JWT standard abstract even says: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

(Note that the OAuth Implicit Grant is no longer recommended to be used.)

Winny answered 14/10, 2021 at 10:13 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.