Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

JSON Web Tokens

Token Based Authentication with JWT / JWS
by

Matthias Lienau

on 14 January 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of JSON Web Tokens

Menu

What are Web Tokens?
JSON Web Tokens: What and why is that?
Example: Integration with AngularJS and node.js

Resources / Q&A
JSON Web Tokens?
pronounced
jot

open standard since 2014/2015 (RFC 7519)
used to pass
claims
between parties in web application environments (RFC: "...passing identities of authenticated users between service identifier and identity provider")
based on JSON, compact, URL-safe ("web-safe")
self-contain "claims" which hold e.g. user info
uses other standards like JWS for signing and encryption purposes
consists of
header
,
payload
and
signature
Why JWT?
based on IETF standards
based on well-known formats and algorithms
relatively easy to understand
you don't have to rely on "sessions" (stores)
already greatly used in production (SaaS...)
used by Google, Microsoft, Facebook...
lots of libs available for almost every language and flavour
Resources
Intro: http://en.wikipedia.org/wiki/JSON_Web_Token
RFC JWT: http://tools.ietf.org/html/rfc7519
RFC JSW: http://tools.ietf.org/html/rfc7515
Test service and resources (by Auth0): jws.io
Tutorial: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
More JSON standards: JWS / JWA / JWE
JWS: JSON Web Signature
JSON content digital signed or MACed (Message Authentication Content)
JWE: JSON Web Encryption
specifies encryption capabilities
JWA: JSON Web Algorithm
specifies cryptographic capabilities
JSON Web Tokens
BTW: Don't mix up auth identifying techniques (sessions, tokens) and transport mechanisms (headers, cookies)!
Token Based Authentication with JWT / JWS
HH.js Meetup 2015/15/06 @ Google HH - Matthias Lienau
Matthias Lienau
JavaScript/node.js, PHP, python, Java, HTML5, CSS3, you name it...

Web Developer since 1997

currently working as a freelancer for e.g. G+J

http://matthiaslienau.de
matthias@mlienau.de
@atufkas
Tokens Based Auth?
Web Tokens...

are pieces of information exchanged on requests
as header field or query parameter
typically used for authentication / authorization purposes
are transferred with every request where a access to a resource has to be authenticated
well known from e.g. OAuth/OAuth2
Benefits: CORS, easier integration with (mobile) SPA, well suited for SSO, no CSRF (no Cookies)...
may be seen as a "ticket" or "voucher"
About me...
Using JWT with
node.js and AngularJS
Steps
:

Client: Send authentication information
API: Authenticate user and generate JWT
Client: Retrieve token from server and store it
Client: Re-send token for named resources
Server: Validate token and grant access
Let's have a look on some code...
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbWF0dGhpYXNsaWVuYXUuZGUiLCJzdWIiOiJtYXR0aGlhc0BtbGllbmF1LmRlIiwibmJmIjoxNDM0NDg3MTcxLCJleHAiOjE0MzQ0OTA3NzEsImlhdCI6MTQzNDQ4NzE3MSwianRpIjoiaWQxMjM0NTYifQ.6EvmzqDobXY5fBFQ0z43Zj7wy_eMNIx6bFETCKSAQeQ
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJpc3MiOiJodHRwOi8vbWF0dGhpYXNsaWVuYXUuZGUiLCJzdWIiOiJtYXR0aGlhc0BtbGllbmF1LmRlIiwibmJmIjoxNDM0NDg3MTcxLCJleHAiOjE0MzQ0OTA3NzEsImlhdCI6MTQzNDQ4NzE3MSwianRpIjoiaWQxMjM0NTYifQ
.
6EvmzqDobXY5fBFQ0z43Zj7wy_eMNIx6bFETCKSAQeQ
JWT: JSON Web Token
IETF: RFC 7519

Q&A?
// header
{
"alg": "HS256", // denotes the algorithm used for the signature is HMAC SHA-256
"typ": "JWT" // denotes the type of token this is
}

// claims (payload)
{
"iss": "http://matthiaslienau.de", // registered claims...
"sub": "matthias@mlienau.de",
"nbf": 1434486979,
"exp": 1434490579,
"iat": 1434486979,
"jti": "id123456",
"role": "user" // example of custom field
}
Thank you!
Full transcript