Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
JSON Web Tokens
Transcript of JSON Web Tokens
What are Web Tokens?
JSON Web Tokens: What and why is that?
Example: Integration with AngularJS and node.js
Resources / Q&A
JSON Web Tokens?
open standard since 2014/2015 (RFC 7519)
used to pass
between parties in web application environments (RFC: "...passing identities of authenticated users between service identifier and identity provider")
based on JSON, compact, URL-safe ("web-safe")
self-contain "claims" which hold e.g. user info
uses other standards like JWS for signing and encryption purposes
based on IETF standards
based on well-known formats and algorithms
relatively easy to understand
you don't have to rely on "sessions" (stores)
already greatly used in production (SaaS...)
used by Google, Microsoft, Facebook...
lots of libs available for almost every language and flavour
RFC JWT: http://tools.ietf.org/html/rfc7519
RFC JSW: http://tools.ietf.org/html/rfc7515
Test service and resources (by Auth0): jws.io
More JSON standards: JWS / JWA / JWE
JWS: JSON Web Signature
JSON content digital signed or MACed (Message Authentication Content)
JWE: JSON Web Encryption
specifies encryption capabilities
JWA: JSON Web Algorithm
specifies cryptographic capabilities
JSON Web Tokens
BTW: Don't mix up auth identifying techniques (sessions, tokens) and transport mechanisms (headers, cookies)!
Token Based Authentication with JWT / JWS
HH.js Meetup 2015/15/06 @ Google HH - Matthias Lienau
Web Developer since 1997
currently working as a freelancer for e.g. G+J
Tokens Based Auth?
are pieces of information exchanged on requests
as header field or query parameter
typically used for authentication / authorization purposes
are transferred with every request where a access to a resource has to be authenticated
well known from e.g. OAuth/OAuth2
Benefits: CORS, easier integration with (mobile) SPA, well suited for SSO, no CSRF (no Cookies)...
may be seen as a "ticket" or "voucher"
Using JWT with
node.js and AngularJS
Client: Send authentication information
API: Authenticate user and generate JWT
Client: Retrieve token from server and store it
Client: Re-send token for named resources
Server: Validate token and grant access
Let's have a look on some code...
JWT: JSON Web Token
IETF: RFC 7519
"alg": "HS256", // denotes the algorithm used for the signature is HMAC SHA-256
"typ": "JWT" // denotes the type of token this is
// claims (payload)
"iss": "http://matthiaslienau.de", // registered claims...
"role": "user" // example of custom field