Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


JSON Web Tokens

Token Based Authentication with JWT / JWS

Matthias Lienau

on 14 January 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of JSON Web Tokens


What are Web Tokens?
JSON Web Tokens: What and why is that?
Example: Integration with AngularJS and node.js

Resources / Q&A
JSON Web Tokens?

open standard since 2014/2015 (RFC 7519)
used to pass
between parties in web application environments (RFC: "...passing identities of authenticated users between service identifier and identity provider")
based on JSON, compact, URL-safe ("web-safe")
self-contain "claims" which hold e.g. user info
uses other standards like JWS for signing and encryption purposes
consists of
Why JWT?
based on IETF standards
based on well-known formats and algorithms
relatively easy to understand
you don't have to rely on "sessions" (stores)
already greatly used in production (SaaS...)
used by Google, Microsoft, Facebook...
lots of libs available for almost every language and flavour
Intro: http://en.wikipedia.org/wiki/JSON_Web_Token
RFC JWT: http://tools.ietf.org/html/rfc7519
RFC JSW: http://tools.ietf.org/html/rfc7515
Test service and resources (by Auth0): jws.io
Tutorial: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
More JSON standards: JWS / JWA / JWE
JWS: JSON Web Signature
JSON content digital signed or MACed (Message Authentication Content)
JWE: JSON Web Encryption
specifies encryption capabilities
JWA: JSON Web Algorithm
specifies cryptographic capabilities
JSON Web Tokens
BTW: Don't mix up auth identifying techniques (sessions, tokens) and transport mechanisms (headers, cookies)!
Token Based Authentication with JWT / JWS
HH.js Meetup 2015/15/06 @ Google HH - Matthias Lienau
Matthias Lienau
JavaScript/node.js, PHP, python, Java, HTML5, CSS3, you name it...

Web Developer since 1997

currently working as a freelancer for e.g. G+J

Tokens Based Auth?
Web Tokens...

are pieces of information exchanged on requests
as header field or query parameter
typically used for authentication / authorization purposes
are transferred with every request where a access to a resource has to be authenticated
well known from e.g. OAuth/OAuth2
Benefits: CORS, easier integration with (mobile) SPA, well suited for SSO, no CSRF (no Cookies)...
may be seen as a "ticket" or "voucher"
About me...
Using JWT with
node.js and AngularJS

Client: Send authentication information
API: Authenticate user and generate JWT
Client: Retrieve token from server and store it
Client: Re-send token for named resources
Server: Validate token and grant access
Let's have a look on some code...
JWT: JSON Web Token
IETF: RFC 7519

// header
"alg": "HS256", // denotes the algorithm used for the signature is HMAC SHA-256
"typ": "JWT" // denotes the type of token this is

// claims (payload)
"iss": "http://matthiaslienau.de", // registered claims...
"sub": "matthias@mlienau.de",
"nbf": 1434486979,
"exp": 1434490579,
"iat": 1434486979,
"jti": "id123456",
"role": "user" // example of custom field
Thank you!
Full transcript