Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Thameera Senanayaka Thameera Senanayaka
August 17, 2017
Programming
300
1

JSON Web Tokens

Event: Colombo JavaScript Meetup
Date: 2017/08/17

Avatar for Thameera Senanayaka

Thameera Senanayaka

August 17, 2017

Other Decks in Programming

See All in Programming
「エンジニアインターン、どうやって取った?」準備のリアルを語るLT会 Progate BAR
Avatar for akio akiomatic
0
120
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
Avatar for nrs nrslib
3
1k
正しくソフトウェアを作る、前提を疑うための認知の視点 / doubt-premise
Avatar for MinoDriven minodriven
17
5.9k
CSC307 Lecture 17
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
310
RTSPクライアントを自作してみた話
Avatar for simotin13 simotin13
0
460
キャリア迷子上等 ─ "ない道"は自分で作ればいい
Avatar for 16bit_idol 16bitidol
2
330
代数的データ型って何が嬉しいの? #frontend_phpcon_do
Avatar for Takuma Kajikawa kajitack
8
3.2k
PHPで使える日時の表現と、その知り方 #frontend_phpcon_do
Avatar for hideki kinjyo o0h
PRO
0
190
Datadog × OpenTelemetry 入門と実践のあいだ
Avatar for Max Kento kn_to_maxpno
1
140
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
Avatar for mom0tomo mom0tomo
8
3.1k
Composerを使ったサプライチェーン攻撃の様子を眺めてみる #phpstudy
Avatar for hideki kinjyo o0h
PRO
2
220
Spec-Driven Development with AI-Agents: From High-Level Requirements to Working Software
Avatar for Anton Arhipov antonarhipov
2
440

Featured

See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
128
55k
Collaborative Software Design: How to facilitate domain modelling decisions
Avatar for Kenny Baas-Schwegler baasie
1
240
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
3.3k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
180
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
13
1.2k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
41
2.5k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
52k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
120k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
2k
KATA
Avatar for Megan Lloyd mclloyd
PRO
35
15k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.3k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.4k

Transcript

  1. JSON Web Tokens Thameera Senanayaka

  2. @thameera twitter.com/thameera

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. JSON Web Tokens aka JWT

  18. RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between

    two parties

  19. JSON Web Token

  20. { "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]

    }

  21. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q

  22. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q

  23. JWT.io

  24. Demo

  25. Signing algorithms → HMAC → RSA → ECDSA

  26. Payload Reserved claims iss, sub, exp, aud, ...

  27. How to build a JWT

  28. payload { "name": "jon snow", "house": "stark", "sub": "1234" }

  29. base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi

    wic3ViIjoiMTIzNCJ9

  30. header { "typ": "JWT", "alg": "HS256" }

  31. base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

  32. signature signature = sign( bHeader + '.' + bPayload, secret

    ) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=

  33. Add everything together jwt = bHeader.bPayload.bSignature

  34. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=

  35. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=

  36. Live coding !

  37. Is the JWT encrypted?

  38. JWTs are signed, not encrypted

  39. How does the server know that we didn't mess with

    the JWT?

  40. Don't Reinvent The Wheel JWT libraries are available for almost

    every language and framework

  41. Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const

    token = jwt.sign({ name: 'thameera' }, 'mySecret123')

  42. Verifying a JWT const jwt = require('jsonwebtoken') try { const

    decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }

  43. Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain

  44. Sessions vs Tokens Pass by Reference vs Pass by Value

  45. Where to go from here?

  46. JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519

  47. JWT Handbook https://goo.gl/HyzEZA

  48. Thank you!