JWT Token Basics
Last updated
Last updated
There are 2 main ways in which we can keep track of the users logged in our application
The first one is to have some sort of code in memory or on the backend that keeps track when the user logs in and when the user logs out
The 2nd one is JWT Token based. This is stateless meaning that there is nothing our API, Backend or Memory that keeps track of the login
The token itself is stored on the front end and the clients keep track if it's logged in or not
1st we will create a path operation for /login
which will allow the user to authenticate
Once logged in the credentials will be verified and if correct the JWT Token will be generated
The JWT Token will be passed to the client
Once the client has the token
The client will make a request where authentication is required
In the header of the HTTP request the token will be passed as well
The API then checks the token if it's valid
If the token is valid, it will return the required data
JWT Tokens are not encrypted!
JWT Tokens are made of 3 Individual pieces
HEADER
PAYLOAD
VERIFY SIGNATURE
Metadata about the token
Almost like hashing the token
Metadata is the same for all of our tokens
This is up to you
You can send any information that you want
However you will have to consider what info you are sending as the Token IS NOT encrypted
Anybody else outside in the world can look in the token and read it
This means no confidential information
Stick to basic things such as:
ID of the user
User Roles
Something to keep in mind is that every time you need to access info that requires authentication, this token will be used
So if you pack too much info, you can lose bandwidth because of it
It's a combination of 3 things:
Header
Payload
Secret
The Secret is a special password that we keep on our API
This is only on our API
Nobody else should know it
Probably the most important thing for our authentication system
We take that information and pass it through our signing algorithm (HMACSHA256)
This will return a signature
This signature is important because it will be used to determine if the token is valid
We do not want people tampering with the token or changing data
Or changing data to look like a different user
The signature is to make sure that nobody has tampered with our token
The main takeaway here is that the signature when generating the token is made on the API side
So if a malicious user tries to modify the data, it will not work as the signature does not match
He can modify the data on the payload but then needs to create a new signature which does not match as the user does not have the API password to generate the new signature correctly
The signature is created dynamically for the token
The signature only ensures that the data integrity is still valid
Anybody can see the data of the token
Anybody can change the data of the token
Nobody can generate a new & correct signature for the data in the token
Nobody has access to the secret