Json Web Token - JWT
Download as PPTX, PDF2 likes7,116 views
JSON Web Tokens (JWT) are an open standard for securely transmitting information as a JSON object, commonly used for authorization and information exchange. They are compact, self-contained, and can be signed using either a secret or a key pair, which adds to their security and efficiency in user authentication. The document outlines the JWT format, its claims, and the authentication process involving the creation and verification of JWTs in application servers.
![JWT format
Authentication
Server
User Sign In ([username/password])
User Authenticated, JWT Created and return to USER
1
2
{header.payload.signature
}
{JWT}
User
Application
Server
User passes [JWT] When making API Calls3
Application verifies and processes API Call4](https://image.slidesharecdn.com/jsonwebtoken-jwt-190319052318/85/Json-Web-Token-JWT-10-320.jpg)
Json Web Token - JWT
- 1. JSON Web Token (JWT) Prashant Walke
- 2. Overview What is JSON Web Token? JSON Web Tokens Uses ● Authorization ● Information Exchange How do JSON Web Tokens work
- 3. What is JSON Web Token? ● JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. ● This information can be verified and trusted because it is digitally signed. ● JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
- 4. JSON Web Tokens Uses Authorization ● Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Information Exchange ● JSON Web Tokens are a good way of securely transmitting information between parties
- 5. Why should we use JSON Web Tokens? ● Security - Securely transmitting information between parties using public/private key pairs ● Ease - Ease of client-side processing of the JSON Web token on multiple platforms, especially mobile. ● Compact -Because of its size, it can be sent through an URL, POST parameter, or inside an HTTP header. Additionally, due to its size its transmission is fast. ● Self-Contained - The payload contains all the required information about the user, to avoid querying the database more than once.
- 6. How do JSON Web Tokens work?
- 7. JWT format header.payload.signature ● Header - consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA. For example: { "alg": "HS256", "typ": "JWT" }
- 8. JWT format header.payload.signature ● Payload- Contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims. For example: { "user_id": "4" }
- 9. JWT format header.payload.signature ● Signature - To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. For example (HMAC SHA256 algorithm): HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
- 10. JWT format Authentication Server User Sign In ([username/password]) User Authenticated, JWT Created and return to USER 1 2 {header.payload.signature } {JWT} User Application Server User passes [JWT] When making API Calls3 Application verifies and processes API Call4
- 11. JWT to verify the authenticity of a user ● User first signs into the authentication server using the authentication server’s login system (e.g. username and password, Facebook login, Google login, Twitter etc). ● The authentication server then creates the JWT and sends it to the user. ● When the user makes API calls to the application, the user passes the JWT along with the API call. ● In this setup, the application server would be configured to verify that the incoming JWT are created by the authentication server ● When the user makes API calls with the attached JWT, the application can use the JWT to verify that the API call is coming from an authenticated user.
- 12. Conclusion Definitely having reliable way to authenticate user is the first thing on the list and using JWT Authentication as an best authentication method.