Insights
Insights

From JWT to SD-JWT: The Evolution of Web Security and Privacy

From JWT to SD-JWT: The Evolution of Web Security and Privacy

Lukas Han

Mar 26, 2024

Introduction

JWT (JSON Web Token) is a widely used open standard that enables information to be securely transmitted between parties. The information is represented as JSON objects and can be digitally signed to ensure integrity. As a stateless and scalable solution, JWT is frequently utilized for authentication and information exchange in web services.

SD-JWT (Selective Disclosure for JWT) builds on top of this foundation by adding a layer of privacy and selective information sharing. It allows the holder of a JWT to reveal only specific pieces of information to a verifier without exposing the entire token content. This capability is especially useful in scenarios where privacy concerns are paramount and only certain data needs to be shared in the verification process.

JWT and SD-JWT are both excellent solutions for secure information handling in web applications. However, JWT provides a standardized method for secure communication while SD-JWT expands even further by offering advanced privacy control when selective data disclosure is needed.

Example Usage of SD-JWT

For instance, SD-JWT enables flexible access control for API authorization.

Suppose that the user ID is the only thing needed for a user token to access basic services. With SD-JWT’s advanced features, the token can selectively disclose the 'role: admin' and 'email: user@email.com' claims, granting access to the ID without having to expose unnecessary sensitive information. Such an approach provides different access levels even within a single token, ensuring privacy and security.

How does SD-JWT work?

SD-JWT operates by allowing claims within a JWT to be selectively disclosed while ensuring these claims are cryptographically protected against unauthorized modification.

The structure of SD-JWT incorporates the issuer-signed JWT, selective disclosures, and an optional key binding JWT, linked together by tilde characters. When an issuer provides a SD-JWT to a holder, the SD-JWT includes both the signed JWT and the cleartext version of any hidden claims outside the signed portion. The holder can then decide which claim to reveal to the verifier, enabling the verifier to confirm that these claims were indeed issued by the original issuer without having to know about the undisclosed information.

For detailed explanation and examples, please visit What is SD-JWT?.

JWT vs SD-JWT

Legend: ✅ supported, ❌ not supported

While JWT and SD-JWT both offer cryptographic protection and support for stateless authentication, SD-JWT addresses scenarios JWT is not designed for with its selective data disclosure and privacy controls features.

Conclusion

The shift from JWT to SD-JWT marks a crucial evolution towards greater digital privacy and selective information sharing, combining strong security measures with enhanced user control. This advancement highlights the increasing demand for adaptable, privacy-conscious technologies in safeguarding digital interactions.

Want to learn more about SD-JWT? Visit sdjwt.js.org now!

contact@hopae.com

166 Geary St. 15th Floor, San Francisco, CA 94108, United States

© 2024 Hopae Inc. All rights reserved.

contact@hopae.com

166 Geary St. 15th Floor, San Francisco, CA 94108, United States

© 2024 Hopae Inc. All rights reserved.

contact@hopae.com

166 Geary St. 15th Floor, San Francisco, CA 94108, United States

© 2024 Hopae Inc. All rights reserved.