Professional Documents
Culture Documents
S.Nikil Kumar
Sr.Software Engineer
COE- Asymmetrix, BFSI
Authentication & Authorization
• Authentication is about validating your credentials like
username/user Id and password to verify your identity
• The system determines whether you are what you say you are.
• Token-Based authentication
What is Token?
• Tokens is a unique identifier of an application requesting access to
your service.
• You can then match the token they provide to the one you store in
order to AUTHENTICATE and AUTHORIZE the user to the system.
What is JSON Web Token?
• JSON Web Token is an open source standard that defines a compact
and self contained way for securely transmitting information
between parties as a JSON object.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIi
OiJUZWNoIFRhbGsiLCJpc3MiOiJCQ1QiLCJpYXQi
OjE1MTYyMzkwMjIsImV4cCI6MTUxNjI0MDAy
MiwiYWRtaW4iOnRydWUsImNyZWF0ZXVzZXIi
OnRydWUsImRlbGV0ZXVzZXIiOmZhbHNlLCJ1cG
RhdGV1c2VyIjp0cnVlfQ.ryzvjT1gBRUaRKdOXeAJ
6i0tGkbfm8xt1uRscJIFRDM
JWT Token
Header
• The header contains the metadata for the token
• Then the above JSON is Base64Url encoded to form the first part of the token
Payload
• The second part is actual data, we can have additional information
such as issuer, expiration time etc.
• Claims,Public Claims and Private claims
• Don’t put sensitive data such as password in your payload thus this
can easily be decoded.
• Then the above JSON is Base64Url encoded to form the second part
of the token
Signature
• The last part is the signature which is sum of the encoded header +
encoded payload , a secret and the algorithm which is specified in
the header.
• The header and payload can easily be decoded, but not signature.
• The reason why is because it checks two things, first verify the
header and payload has not been altered
• Secondly check the private key is valid to make sure the sender is
who it is.
• Otherwise all the claims will read, and accordingly access will be
provided to the user.
• If the token is expired then the user has to get a new token using
refresh token.
Why JWT is Popular?
• No session storage