JWT Token Basics

There are 2 main ways in which we can keep track of the users logged in our application

  • The first one is to have some sort of code in memory or on the backend that keeps track when the user logs in and when the user logs out

  • The 2nd one is JWT Token based. This is stateless meaning that there is nothing our API, Backend or Memory that keeps track of the login

  • The token itself is stored on the front end and the clients keep track if it's logged in or not

JWT Token Authentication

How it works:

  • 1st we will create a path operation for /login which will allow the user to authenticate

  • Once logged in the credentials will be verified and if correct the JWT Token will be generated

  • The JWT Token will be passed to the client

  • Once the client has the token

    • The client will make a request where authentication is required

    • In the header of the HTTP request the token will be passed as well

  • The API then checks the token if it's valid

  • If the token is valid, it will return the required data

JWT Deep Dive

JWT Tokens are not encrypted!

  • JWT Tokens are made of 3 Individual pieces

    • HEADER

    • PAYLOAD

    • VERIFY SIGNATURE

Header

  • Metadata about the token

  • Almost like hashing the token

  • Metadata is the same for all of our tokens

Payload

  • This is up to you

  • You can send any information that you want

  • However you will have to consider what info you are sending as the Token IS NOT encrypted

  • Anybody else outside in the world can look in the token and read it

  • This means no confidential information

  • Stick to basic things such as:

    • ID of the user

    • User Roles

  • Something to keep in mind is that every time you need to access info that requires authentication, this token will be used

    • So if you pack too much info, you can lose bandwidth because of it

Signature

  • It's a combination of 3 things:

    • Header

    • Payload

    • Secret

The Secret is a special password that we keep on our API

  • This is only on our API

  • Nobody else should know it

  • Probably the most important thing for our authentication system

  • We take that information and pass it through our signing algorithm (HMACSHA256)

  • This will return a signature

This signature is important because it will be used to determine if the token is valid

  • We do not want people tampering with the token or changing data

  • Or changing data to look like a different user

The signature is to make sure that nobody has tampered with our token

Purpose of Signature

  • The main takeaway here is that the signature when generating the token is made on the API side

  • So if a malicious user tries to modify the data, it will not work as the signature does not match

  • He can modify the data on the payload but then needs to create a new signature which does not match as the user does not have the API password to generate the new signature correctly

  • The signature is created dynamically for the token

  • The signature only ensures that the data integrity is still valid

  • Anybody can see the data of the token

  • Anybody can change the data of the token

  • Nobody can generate a new & correct signature for the data in the token

  • Nobody has access to the secret

PreviousRouter TagsNextLogin Process

Last updated