JSON Web Tokens

JWT is pronounced "jot". Yeah.

JSON Web Tokens

  • What is a JWT
  • Why do I use this
  • How do I use it

Objectives:

What is JWT?

Securely transmit JSON between two parties

What is JWT?

What is JWT?

It's a JSON Object that has been encrypted & stored in a particular way

Most people use it for Authentication

JWT: Why

Compact

It's small enough to fit inside an HTTP Header

Self-Contained

Contains everything we need to know about the user

JWT: Take a look

xxxxx.

yyyyy.

zzzzz

Header

Payload

Signature

JWT Header

{
  "alg": "HS256",
  "typ": "JWT"
}

"alg" : Short for "Algorithm"

"typ" : is always "JWT"

JWT Payload: Your Data

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Generating JWTs

var jwt = require("jsonwebtoken");
var token = jwt.sign({name:"Liz"},"super-top-secret-string-of-secrets");

var t = jwt.decode(token,"super-top-secret-string-of-secrets");
console.log(t);

To generate:

To decode:

Set the header:

res.setHeader("Authorization","Bearer "+ token);

Verifying JWTs

function checkToken(req,res,next){
  try {
    var decoded = jwt.verify(req.headers.authorization.split(" ")[1], secret);
    if(req.params.id && decoded.id === req.params.id){
      req.decoded_id = decoded.id;
      next();
    }
    else {
      res.status(401).send("Not Authorized");
    }
  } catch(err) {
    res.status(500).send(err.message);
  }
}

router.use(checkHeaders);

Login with JWT

TOGETHER!