JSON Web Tokens
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbWF0dGhpYXNsaWVuYXUuZGUiLCJzdWIiOiJtYXR0aGlhc0BtbGllbmF1LmRlIiwibmJmIjoxNDM0NDg3MTcxLCJleHAiOjE0MzQ0OTA3NzEsImlhdCI6MTQzNDQ4NzE3MSwianRpIjoiaWQxMjM0NTYifQ.6EvmzqDobXY5fBFQ0z43Zj7wy_eMNIx6bFETCKSAQeQ
BTW: Don't mix up auth identifying techniques (sessions, tokens) and transport mechanisms (headers, cookies)!
JWT: JSON Web Token
IETF: RFC 7519
Using JWT with
node.js and AngularJS
Steps:
- Client: Send authentication information
- API: Authenticate user and generate JWT
- Client: Retrieve token from server and store it
- Client: Re-send token for named resources
- Server: Validate token and grant access
Tokens Based Auth?
Let's have a look on some code...
Why JWT?
Resources
Web Tokens...
- are pieces of information exchanged on requests
- as header field or query parameter
- typically used for authentication / authorization purposes
- are transferred with every request where a access to a resource has to be authenticated
- well known from e.g. OAuth/OAuth2
- Benefits: CORS, easier integration with (mobile) SPA, well suited for SSO, no CSRF (no Cookies)...
- may be seen as a "ticket" or "voucher"
- based on IETF standards
- based on well-known formats and algorithms
- relatively easy to understand
- you don't have to rely on "sessions" (stores)
- already greatly used in production (SaaS...)
- used by Google, Microsoft, Facebook...
- lots of libs available for almost every language and flavour
- Intro: http://en.wikipedia.org/wiki/JSON_Web_Token
- RFC JWT: http://tools.ietf.org/html/rfc7519
- RFC JSW: http://tools.ietf.org/html/rfc7515
- Test service and resources (by Auth0): jws.io
- Tutorial: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
// header
{
"alg": "HS256", // denotes the algorithm used for the signature is HMAC SHA-256
"typ": "JWT" // denotes the type of token this is
}
// claims (payload)
{
"iss": "http://matthiaslienau.de", // registered claims...
"sub": "matthias@mlienau.de",
"nbf": 1434486979,
"exp": 1434490579,
"iat": 1434486979,
"jti": "id123456",
"role": "user" // example of custom field
}
Q&A?
Menu
More JSON standards: JWS / JWA / JWE
JSON Web Tokens?
- JWS: JSON Web Signature
- JSON content digital signed or MACed (Message Authentication Content)
- JWE: JSON Web Encryption
- specifies encryption capabilities
- JWA: JSON Web Algorithm
- specifies cryptographic capabilities
- What are Web Tokens?
- JSON Web Tokens: What and why is that?
- Example: Integration with AngularJS and node.js
- pronounced jot
- open standard since 2014/2015 (RFC 7519)
- used to pass claims between parties in web application environments (RFC: "...passing identities of authenticated users between service identifier and identity provider")
- based on JSON, compact, URL-safe ("web-safe")
- self-contain "claims" which hold e.g. user info
- uses other standards like JWS for signing and encryption purposes
- consists of header, payload and signature
Thank you!
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbWF0dGhpYXNsaWVuYXUuZGUiLCJzdWIiOiJtYXR0aGlhc0BtbGllbmF1LmRlIiwibmJmIjoxNDM0NDg3MTcxLCJleHAiOjE0MzQ0OTA3NzEsImlhdCI6MTQzNDQ4NzE3MSwianRpIjoiaWQxMjM0NTYifQ.6EvmzqDobXY5fBFQ0z43Zj7wy_eMNIx6bFETCKSAQeQ
About me...
Matthias Lienau
JavaScript/node.js, PHP, python, Java, HTML5, CSS3, you name it...
Web Developer since 1997
currently working as a freelancer for e.g. G+J
http://matthiaslienau.de
matthias@mlienau.de
@atufkas
Token Based Authentication with JWT / JWS
HH.js Meetup 2015/15/06 @ Google HH - Matthias Lienau