Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JSON Web Tokens
Search
Thameera Senanayaka
August 17, 2017
Programming
1
190
JSON Web Tokens
Event: Colombo JavaScript Meetup
Date: 2017/08/17
Thameera Senanayaka
August 17, 2017
Tweet
Share
Other Decks in Programming
See All in Programming
これでLambdaが不要に?!Step FunctionsのJSONata対応について
iwatatomoya
2
3.7k
テストコード書いてみませんか?
onopon
2
150
Fibonacci Function Gallery - Part 1
philipschwarz
PRO
0
220
From Translations to Multi Dimension Entities
alexanderschranz
2
140
「Chatwork」Android版アプリを 支える単体テストの現在
okuzawats
0
180
Jakarta EE meets AI
ivargrimstad
0
260
create_tableをしただけなのに〜囚われのuuid編〜
daisukeshinoku
0
270
[JAWS-UG横浜 #76] イケてるアップデートを宇宙いち早く紹介するよ!
maroon1st
0
490
競技プログラミングへのお誘い@阪大BOOSTセミナー
kotamanegi
0
360
Итераторы в Go 1.23: зачем они нужны, как использовать, и насколько они быстрые?
lamodatech
0
850
テスト自動化失敗から再挑戦しチームにオーナーシップを委譲した話/STAC2024 macho
ma_cho29
1
1.3k
Cloudflare MCP ServerでClaude Desktop からWeb APIを構築
kutakutat
1
560
Featured
See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
The Invisible Side of Design
smashingmag
298
50k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
170
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
48
2.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
BBQ
matthewcrist
85
9.4k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
810
How STYLIGHT went responsive
nonsquared
95
5.2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
247
1.3M
Transcript
JSON Web Tokens Thameera Senanayaka
@thameera twitter.com/thameera
None
None
None
None
None
None
None
None
None
None
None
None
None
None
JSON Web Tokens aka JWT
RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between
two parties
JSON Web Token
{ "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q
JWT.io
Demo
Signing algorithms → HMAC → RSA → ECDSA
Payload Reserved claims iss, sub, exp, aud, ...
How to build a JWT
payload { "name": "jon snow", "house": "stark", "sub": "1234" }
base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi
wic3ViIjoiMTIzNCJ9
header { "typ": "JWT", "alg": "HS256" }
base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
signature signature = sign( bHeader + '.' + bPayload, secret
) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=
Add everything together jwt = bHeader.bPayload.bSignature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=
Live coding !
Is the JWT encrypted?
JWTs are signed, not encrypted
How does the server know that we didn't mess with
the JWT?
Don't Reinvent The Wheel JWT libraries are available for almost
every language and framework
Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const
token = jwt.sign({ name: 'thameera' }, 'mySecret123')
Verifying a JWT const jwt = require('jsonwebtoken') try { const
decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }
Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain
Sessions vs Tokens Pass by Reference vs Pass by Value
Where to go from here?
JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519
JWT Handbook https://goo.gl/HyzEZA
Thank you!