JSON Web Tokens

JWT is pronounced "jot". Yeah.

JSON Web Tokens

 

  • Explain why JWTs are used
  • Explain what a JWT is
  • Explain how JWTs are implemented

Objectives:

Before we get started:

Server-side! We are back in express land

We need to take a look again at the authentication/authorization landscape before we jump into JWTs...

Classical Authentication

Client

Server

1. Client sends user/password

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a cookie

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a signed cookie

3. Server sends cookie

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a signed cookie

3. Server sends cookie

4.
All further communication

involves the signed cookie

Classical Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a signed cookie

3. Server sends cookie

4.
All further requests

send the signed cookie

5.

All further requests check the cookie

Token Authentication

Client

Server

1. Client sends user/password

2. Server validates user/pass and upon success creates a JWT (which are signed)

3. Server sends JWT

4.
All further requests

send the JWT

5.

All further requests check the JWT

Those Look The Same

  • Established best practices for securing information have not changed much even since paper based cryptography.
     
  • What has changed is the mechanism for keeping the secret.
     
  • JWTs and Cookies are different standards that behave differently in implementation, but similarly in concept.

 

  • JWTs allow cross-origin requests, where cookies are linked to specific origins.

JWT:  More Why

Compact

It's small enough to fit inside an HTTP Header

Self-Contained

Contains everything we need to know about the user

JWT: Why 

Your Turn!

Everyone spend 8 seconds thinking about these 2 questions, and then Matt will call on someone:

JWT: Why 

Your Turn!

Why do apps use JWTs?

JWT: Why 

Your Turn!

Why do apps use JWTs?

How are JWTs and cookies different?

JWT: Why 

Your Turn!

Why do apps use JWTs?

How are JWTs and cookies different?

Who makes the JWT and where is it stored?

What is JWT?

Securely transmits JSON between two parties

What is JWT?

Securely transmits JSON between two parties

What is JWT?

Acts a lot like a cookie, but has some nice benefits over cookies

Securely transmits JSON between two parties

What is JWT?

Acts a lot like a cookie, but has some nice benefits over cookies

Tastes less good than cookies

What is JWT?

A deeper look:

It's a JSON Object that has been encrypted & stored in a particular way to allow cross-origin Auth.

Most servers use it to check the authorization of routes after a user has been authenticated.

It can also be used to share encrypted information between 2 parties.

JWT: Take a look

xxxxx.

yyyyy.

zzzzz

Header

Payload

Signature

JWT Header

{
  "alg": "HS256",
  "typ": "JWT"
}

"alg" : Short for "Algorithm"

"typ" : is always "JWT"

The header is 2-way encrypted and stored as the first part of the JWT.

JWT Payload: Your Data

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Like the header, the payload is 2-way encrypted and stored as the second part of the JWT.

The Payload is any JSON info you want to store on the client

JWT Signature: 1-way encoding!

var signature = jwt.sign(
  {sub: 1234567890, name: "John Doe", admin: true}, 
  "Super secret secret secret 1234abcd",
  {algorithm: "HS256", expiresIn: "2 days"}
);

Unlike the header and payload, the signature is 1-way encrypted and stored as the last part of the JWT.

The signature is a hash of the first 2 parts of the JWT, and the secret

Kind of like how bcrypt hashes a salt together with the secret, the 2 first pieces become a unique key which certify that the JWT has not been altered in any way.

JWT: What are they? 

Your Turn!

Everyone turn to your neighbor and explain JWTs in your own words.

5 minute break!

Lets look at some implementation:

JWT: How?

Generating JWTs

var jwt = require("jsonwebtoken");
var token = jwt.sign({name:"Liz"},"super-top-secret-string-of-secrets");

var t = jwt.decode(token,"super-top-secret-string-of-secrets");
console.log(t);

To generate:

To decode:

Set the header:

res.setHeader("Authorization","Bearer "+ token);

Verifying JWTs

function checkToken(req,res,next){
  try {
    var decoded = jwt.verify(req.headers.authorization.split(" ")[1], secret);
    if(req.params.id && decoded.id === req.params.id){
      req.decoded_id = decoded.id;
      next();
    }
    else {
      res.status(401).send("Not Authorized");
    }
  } catch(err) {
    res.status(500).send(err.message);
  }
}

router.use(checkHeaders);

Login with JWT

JWT: How?

An excellent additional resource:

JWTs ahoy!

JSON Web Tokens

By Lionel Lints

JSON Web Tokens

  • 835