Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JSON Web Tokens
Search
Thameera Senanayaka
August 17, 2017
Programming
1
240
JSON Web Tokens
Event: Colombo JavaScript Meetup
Date: 2017/08/17
Thameera Senanayaka
August 17, 2017
Tweet
Share
Other Decks in Programming
See All in Programming
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
300
Go Conference 2025: Goで体感するMultipath TCP ― Go 1.24 時代の MPTCP Listener を理解する
takehaya
9
1.7k
Advance Your Career with Open Source
ivargrimstad
0
480
Go言語はstack overflowの夢を見るか?
logica0419
0
120
非同期jobをtransaction内で 呼ぶなよ!絶対に呼ぶなよ!
alstrocrack
0
710
AI Coding Meetup #3 - 導入セッション / ai-coding-meetup-3
izumin5210
0
3.3k
GraphQL×Railsアプリのデータベース負荷分散 - 月間3,000万人利用サービスを無停止で
koxya
1
1.3k
Le côté obscur des IA génératives
pascallemerrer
0
140
iOSエンジニア向けの英語学習アプリを作る!
yukawashouhei
0
190
PHPに関数型の魂を宿す〜PHP 8.5 で実現する堅牢なコードとは〜 #phpcon_hiroshima / phpcon-hiroshima-2025
shogogg
1
140
What's new in Spring Modulith?
olivergierke
1
140
大規模アプリのDIフレームワーク刷新戦略 ~過去最大規模の並行開発を止めずにアプリ全体に導入するまで~
mot_techtalk
1
430
Featured
See All Featured
Done Done
chrislema
185
16k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Being A Developer After 40
akosma
91
590k
The Power of CSS Pseudo Elements
geoffreycrofte
79
6k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
BBQ
matthewcrist
89
9.8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.2k
It's Worth the Effort
3n
187
28k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
Agile that works and the tools we love
rasmusluckow
331
21k
Learning to Love Humans: Emotional Interface Design
aarron
274
41k
Transcript
JSON Web Tokens Thameera Senanayaka
@thameera twitter.com/thameera
None
None
None
None
None
None
None
None
None
None
None
None
None
None
JSON Web Tokens aka JWT
RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between
two parties
JSON Web Token
{ "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q
JWT.io
Demo
Signing algorithms → HMAC → RSA → ECDSA
Payload Reserved claims iss, sub, exp, aud, ...
How to build a JWT
payload { "name": "jon snow", "house": "stark", "sub": "1234" }
base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi
wic3ViIjoiMTIzNCJ9
header { "typ": "JWT", "alg": "HS256" }
base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
signature signature = sign( bHeader + '.' + bPayload, secret
) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=
Add everything together jwt = bHeader.bPayload.bSignature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=
Live coding !
Is the JWT encrypted?
JWTs are signed, not encrypted
How does the server know that we didn't mess with
the JWT?
Don't Reinvent The Wheel JWT libraries are available for almost
every language and framework
Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const
token = jwt.sign({ name: 'thameera' }, 'mySecret123')
Verifying a JWT const jwt = require('jsonwebtoken') try { const
decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }
Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain
Sessions vs Tokens Pass by Reference vs Pass by Value
Where to go from here?
JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519
JWT Handbook https://goo.gl/HyzEZA
Thank you!