JSON
WEB
TOKENS
By Tommy Marshall
What is JWT
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
(jwt.io)
A standard for signing, sending and receiving tokens to validate something.
(me)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/174497/images/7452736/pasted-from-clipboard.png)
Using Sessions
Using Tokens
![](https://s3.amazonaws.com/media-p.slid.es/uploads/174497/images/7452739/pasted-from-clipboard.png)
What makes up a JSON WEB TOKEN
- Header
- Payload
- Signature
header.payload.signature
xxxxxx.yyyyyy.zzzzzz
![](https://s3.amazonaws.com/media-p.slid.es/uploads/174497/images/7452920/pasted-from-clipboard.png)
HEADER
Consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/174497/images/7452924/pasted-from-clipboard.png)
PAYLOAD
Contains the data which is to be serialized and checked against.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/174497/images/7452925/pasted-from-clipboard.png)
SIGNATURE
A hash which is a serialized string consisting base64 encoded of the previous two parts of the token (headers and payload) and a secret that lives on the server.
DEMO
BENEFITS
- Stateless – No session to manage
- Portable – Same token used across services
- Performance – No extra lookups, just validate the signature
- Decoupled/Decentralized – Auth server to sign tokens, other app/resource servers don't need to auth. Shared sessions across servers is hard!
Drawbacks
- Tokens live forever – Must expire tokens, enforce algorithm.
- Refresh Tokens – Store refresh tokens in DB, delete when used to log in.
- Security – Storing in localStorage, secure XSS. Storing as Cookies, secure CSRF and use httpOnly cookies.
- Security – You have to protect your secret at all costs... or regenerate a new one.
HUGE Drawbacks
- Banned Users – They still have valid tokens!
You're going to need a Database call anyways in case a user's role/permission changes.
Then why?
Using them for services that connect multiple 3rd party services can be useful!
Could we do this?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/174497/images/7453044/pasted-from-clipboard.png)
Thanks!
JWT
By Tommy Marshall
JWT
- 1,064