Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

Avatar for Thameera Senanayaka Thameera Senanayaka
August 17, 2017
Programming
1
230

JSON Web Tokens

Event: Colombo JavaScript Meetup
Date: 2017/08/17

Avatar for Thameera Senanayaka

Thameera Senanayaka

August 17, 2017
Tweet

Other Decks in Programming

See All in Programming
Reactの歴史を振り返る
Avatar for つちのこ tutinoko
1
150
AIのメモリー
Avatar for watany watany
11
1.1k
AIに安心して任せるためにTypeScriptで一意な型を作ろう
Avatar for Yuki Yata arfes0e2b3c
0
280
はじめてのWeb API体験 ー 飲食店検索アプリを作ろうー
Avatar for Aki Nakahara akinko_0915
0
180
0から始めるモジュラーモノリス-クリーンなモノリスを目指して
Avatar for sushi-cat sushi0120
0
210
DataformでPythonする / dataform-de-python
Avatar for snhryt snhryt
0
100
QA x AIエコシステム段階構築作戦
Avatar for Osu osu
0
220
iOS開発スターターキットの作り方
Avatar for akidon0000 akidon0000
0
220
中級グラフィックス入門~効率的なメッシュレット描画~
Avatar for Pocol projectasura
3
1.9k
Vibe Codingの幻想を超えて-生成AIを現場で使えるようにするまでの泥臭い話.ai
Avatar for Kuu fumiyakume
20
9.6k
抽象化という思考のツール - 理解と活用 - / Abstraction-as-a-Tool-for-Thinking
Avatar for shin1x1 shin1x1
1
890
MCP連携で加速するAI駆動開発/mcp integration accelerates ai-driven-development
Avatar for BPStudy bpstudy
0
170

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Building Applications with DynamoDB
Avatar for Matt Wood mza
95
6.5k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
179
9.8k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
KATA
Avatar for Megan Lloyd mclloyd
31
14k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
271
21k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
83
9.1k

Transcript

  1. JSON Web Tokens Thameera Senanayaka

  2. @thameera twitter.com/thameera

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. JSON Web Tokens aka JWT

  18. RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between

    two parties

  19. JSON Web Token

  20. { "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]

    }

  21. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q

  22. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q

  23. JWT.io

  24. Demo

  25. Signing algorithms → HMAC → RSA → ECDSA

  26. Payload Reserved claims iss, sub, exp, aud, ...

  27. How to build a JWT

  28. payload { "name": "jon snow", "house": "stark", "sub": "1234" }

  29. base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi

    wic3ViIjoiMTIzNCJ9

  30. header { "typ": "JWT", "alg": "HS256" }

  31. base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

  32. signature signature = sign( bHeader + '.' + bPayload, secret

    ) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=

  33. Add everything together jwt = bHeader.bPayload.bSignature

  34. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=

  35. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=

  36. Live coding !

  37. Is the JWT encrypted?

  38. JWTs are signed, not encrypted

  39. How does the server know that we didn't mess with

    the JWT?

  40. Don't Reinvent The Wheel JWT libraries are available for almost

    every language and framework

  41. Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const

    token = jwt.sign({ name: 'thameera' }, 'mySecret123')

  42. Verifying a JWT const jwt = require('jsonwebtoken') try { const

    decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }

  43. Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain

  44. Sessions vs Tokens Pass by Reference vs Pass by Value

  45. Where to go from here?

  46. JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519

  47. JWT Handbook https://goo.gl/HyzEZA

  48. Thank you!