Scribd Logo
Upload

Welcome to Scribd!

  • Json Web Token (JWT) : S.Nikil Kumar SR - Software Engineer COE-Asymmetrix, BFSI

    Uploaded by

    nikil sanghvi
    9 views18 pages
    Dhjyfvjj ydshjjfsx tfjhfwxvju gstjbrwcbii

    Original Title

    Hhdv hrdhku

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Dhjyfvjj ydshjjfsx tfjhfwxvju gstjbrwcbii

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views18 pages

    Json Web Token (JWT) : S.Nikil Kumar SR - Software Engineer COE-Asymmetrix, BFSI

    Uploaded by

    nikil sanghvi
    Dhjyfvjj ydshjjfsx tfjhfwxvju gstjbrwcbii

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    JSON WEB TOKEN (JWT)

    S.Nikil Kumar
    Sr.Software Engineer
    COE- Asymmetrix, BFSI
    Authentication & Authorization
    • Authentication is about validating your credentials like
    username/user Id and password to verify your identity

    • The system determines whether you are what you say you are.

    • Authorization, on the other hand, occurs after your identity is


    successfully authenticated by the system.

    • Authorization is the process to determine whether the authenticated


    user has access to the particular resources
    Authentication & Authorization
    Approach
    • Cookie-Based authentication

    • Token-Based authentication
    What is Token?
    • Tokens is a unique identifier of an application requesting access to
    your service.

    • Tokens are a replacement to sending some username/password


    combination over HTTP.

    • Your service would generate an token for the application to use


    when requesting your service.

    • You can then match the token they provide to the one you store in
    order to AUTHENTICATE and AUTHORIZE the user to the system.
    What is JSON Web Token?
    • JSON Web Token is an open source standard that defines a compact
    and self contained way for securely transmitting information
    between parties as a JSON object.

    • The information can be verified and trusted because it is digitally


    signed.

    • The JWT tokens can be signed using a secret(HMAC algorithm) or


    public/private key pair using RSA or any other asymmetric
    encryption technique.
    Typical JWT token

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIi
    OiJUZWNoIFRhbGsiLCJpc3MiOiJCQ1QiLCJpYXQi
    OjE1MTYyMzkwMjIsImV4cCI6MTUxNjI0MDAy
    MiwiYWRtaW4iOnRydWUsImNyZWF0ZXVzZXIi
    OnRydWUsImRlbGV0ZXVzZXIiOmZhbHNlLCJ1cG
    RhdGV1c2VyIjp0cnVlfQ.ryzvjT1gBRUaRKdOXeAJ
    6i0tGkbfm8xt1uRscJIFRDM
    JWT Token
    Header
    • The header contains the metadata for the token

    • It minimally contains the type of signature and the encryption


    algorithm used.

    • Then the above JSON is Base64Url encoded to form the first part of the token
    Payload
    • The second part is actual data, we can have additional information
    such as issuer, expiration time etc.
    • Claims,Public Claims and Private claims

    • Don’t put sensitive data such as password in your payload thus this
    can easily be decoded.
    • Then the above JSON is Base64Url encoded to form the second part
    of the token
    Signature
    • The last part is the signature which is sum of the encoded header +
    encoded payload , a secret and the algorithm which is specified in
    the header.

    • The signature is the most important part of the JWT structure

    • The header and payload can easily be decoded, but not signature.

    • The reason why is because it checks two things, first verify the
    header and payload has not been altered

    • Secondly check the private key is valid to make sure the sender is
    who it is.

    • In short, if either the header,payload or private key changes along


    the way verification process fails.
    How it works in Practice
    How JWT is Verified?
    • First it will verify that the signature is matched.

    • Check the expiry time, if it is less than the current time in


    milliseconds then the token will be considered as expired.

    • Otherwise all the claims will read, and accordingly access will be
    provided to the user.

    • If the token is expired then the user has to get a new token using
    refresh token.
    Why JWT is Popular?
    • No session storage

    • No garbage collection for session

    • Truly RESTful services

    • Can be used across the server ,by sending JWT token in


    authorization header.

    • JWT can hold more information in token’s payload which can be


    used in client side.
    Refresh Token
    Advantages of using JWT
    • Less verbose compared to xml based system such as SWT & SAML

    • More Compact compare to SAML

    • Security wise SWT can only be symmetrically signed.

    • JSON parsers are common in most programming languages,this


    make it easier work with JWT than SAML.

    • JWT can be easily parsed on clients like mobile apps.


    What if JWT token is stolen?
    • Revoke Compromised tokens immediately.

    • Force your client to change their password immediately.

    • Inspects the Client’s environment.

    • Inspect your server-side environment.


    How to log out with JWT?
    Thank You

    You might also like