Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JSON Web Tokens
Search
Thameera Senanayaka
August 17, 2017
Programming
1
160
JSON Web Tokens
Event: Colombo JavaScript Meetup
Date: 2017/08/17
Thameera Senanayaka
August 17, 2017
Tweet
Share
Other Decks in Programming
See All in Programming
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
Site Reliability Engineering for GMO
pyama86
8
1k
Fragment Composition of GraphQL
quramy
7
1k
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
940
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
340
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
670
雑に思考を整理する技術と効能
konifar
60
29k
Tailwind CSSを本気でカスタマイズする方法
fsubal
13
5.3k
PostmanでAPIの動作確認が楽になった話
h455h1
0
170
PHPはいつから死んでいるかの調査
chiroruxx
1
400
Let's learn code review
riofujimon
2
350
Hanami and htmx
bkuhlmann
0
210
Featured
See All Featured
Code Review Best Practice
trishagee
55
15k
Code Reviewing Like a Champion
maltzj
514
39k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Scaling GitHub
holman
457
140k
The Cult of Friendly URLs
andyhume
74
5.7k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
Large-scale JavaScript Application Architecture
addyosmani
504
110k
4 Signs Your Business is Dying
shpigford
175
21k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
Building a Modern Day E-commerce SEO Strategy
aleyda
17
6.4k
Transcript
JSON Web Tokens Thameera Senanayaka
@thameera twitter.com/thameera
None
None
None
None
None
None
None
None
None
None
None
None
None
None
JSON Web Tokens aka JWT
RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between
two parties
JSON Web Token
{ "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q
JWT.io
Demo
Signing algorithms → HMAC → RSA → ECDSA
Payload Reserved claims iss, sub, exp, aud, ...
How to build a JWT
payload { "name": "jon snow", "house": "stark", "sub": "1234" }
base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi
wic3ViIjoiMTIzNCJ9
header { "typ": "JWT", "alg": "HS256" }
base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
signature signature = sign( bHeader + '.' + bPayload, secret
) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=
Add everything together jwt = bHeader.bPayload.bSignature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=
Live coding !
Is the JWT encrypted?
JWTs are signed, not encrypted
How does the server know that we didn't mess with
the JWT?
Don't Reinvent The Wheel JWT libraries are available for almost
every language and framework
Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const
token = jwt.sign({ name: 'thameera' }, 'mySecret123')
Verifying a JWT const jwt = require('jsonwebtoken') try { const
decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }
Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain
Sessions vs Tokens Pass by Reference vs Pass by Value
Where to go from here?
JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519
JWT Handbook https://goo.gl/HyzEZA
Thank you!