JSON Web Tokens
JWT is pronounced "jot". Yeah.
JSON Web Tokens
- Explain why JWTs are used
- Explain what a JWT is
- Explain how JWTs are implemented
Objectives:
Before we get started:
Server-side! We are back in express land
We need to take a look again at the authentication/authorization landscape before we jump into JWTs...
Classical Authentication
Client
Server
1. Client sends user/password
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a cookie
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
4.
All further communication
involves the signed cookie
Classical Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a signed cookie
3. Server sends cookie
4.
All further requests
send the signed cookie
5.
All further requests check the cookie
Token Authentication
Client
Server
1. Client sends user/password
2. Server validates user/pass and upon success creates a JWT (which are signed)
3. Server sends JWT
4.
All further requests
send the JWT
5.
All further requests check the JWT
Those Look The Same
- Established best practices for securing information have not changed much even since paper based cryptography.
- What has changed is the mechanism for keeping the secret.
- JWTs and Cookies are different standards that behave differently in implementation, but similarly in concept.
- JWTs allow cross-origin requests, where cookies are linked to specific origins.
JWT: More Why
Compact
It's small enough to fit inside an HTTP Header
Self-Contained
Contains everything we need to know about the user
JWT: Why
Your Turn!
Everyone spend 8 seconds thinking about these 2 questions, and then Matt will call on someone:
JWT: Why
Your Turn!
Why do apps use JWTs?
JWT: Why
Your Turn!
Why do apps use JWTs?
How are JWTs and cookies different?
JWT: Why
Your Turn!
Why do apps use JWTs?
How are JWTs and cookies different?
Who makes the JWT and where is it stored?
What is JWT?
Securely transmits JSON between two parties
What is JWT?
Securely transmits JSON between two parties
What is JWT?
Acts a lot like a cookie, but has some nice benefits over cookies
Securely transmits JSON between two parties
What is JWT?
Acts a lot like a cookie, but has some nice benefits over cookies
Tastes less good than cookies
What is JWT?
A deeper look:
It's a JSON Object that has been encrypted & stored in a particular way to allow cross-origin Auth.
Most servers use it to check the authorization of routes after a user has been authenticated.
It can also be used to share encrypted information between 2 parties.
JWT: Take a look
xxxxx.
yyyyy.
zzzzz
Header
Payload
Signature
JWT Header
{
"alg": "HS256",
"typ": "JWT"
}
"alg" : Short for "Algorithm"
"typ" : is always "JWT"
The header is 2-way encrypted and stored as the first part of the JWT.
JWT Payload: Your Data
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
Like the header, the payload is 2-way encrypted and stored as the second part of the JWT.
The Payload is any JSON info you want to store on the client
JWT Signature: 1-way encoding!
var signature = jwt.sign(
{sub: 1234567890, name: "John Doe", admin: true},
"Super secret secret secret 1234abcd",
{algorithm: "HS256", expiresIn: "2 days"}
);
Unlike the header and payload, the signature is 1-way encrypted and stored as the last part of the JWT.
The signature is a hash of the first 2 parts of the JWT, and the secret
Kind of like how bcrypt hashes a salt together with the secret, the 2 first pieces become a unique key which certify that the JWT has not been altered in any way.
JWT: What are they?
Your Turn!
Everyone turn to your neighbor and explain JWTs in your own words.
5 minute break!
Lets look at some implementation:
JWT: How?
Generating JWTs
var jwt = require("jsonwebtoken");
var token = jwt.sign({name:"Liz"},"super-top-secret-string-of-secrets");
var t = jwt.decode(token,"super-top-secret-string-of-secrets");
console.log(t);
To generate:
To decode:
Set the header:
res.setHeader("Authorization","Bearer "+ token);
Verifying JWTs
function checkToken(req,res,next){
try {
var decoded = jwt.verify(req.headers.authorization.split(" ")[1], secret);
if(req.params.id && decoded.id === req.params.id){
req.decoded_id = decoded.id;
next();
}
else {
res.status(401).send("Not Authorized");
}
} catch(err) {
res.status(500).send(err.message);
}
}
router.use(checkHeaders);
Login with JWT
JWT: How?
An excellent additional resource:
JWTs ahoy!
JSON Web Tokens
By Lionel Lints
JSON Web Tokens
- 840