Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Thameera Senanayaka Thameera Senanayaka
August 17, 2017
Programming
290
1

JSON Web Tokens

Event: Colombo JavaScript Meetup
Date: 2017/08/17

Avatar for Thameera Senanayaka

Thameera Senanayaka

August 17, 2017

Other Decks in Programming

See All in Programming
属人化しないコード品質の作り方_2026.04.07.pdf
Avatar for Masaki Murano muraaano
0
190
t *testing.T は どこからやってくるの?
Avatar for Kotaro Otaka otakakot
1
680
アクセシビリティ試験の"その後"を仕組み化する
Avatar for yuuumin yuuumiravy
0
150
Liberating Ruby's Parser from Lexer Hacks
Avatar for ydah ydah
2
1.4k
How Swift's Type System Guides AI Agents
Avatar for Yuta Koshizawa koher
0
270
AIベース静的検査器の偽陽性率を抑える工夫3選
Avatar for Kuniwak orgachem
PRO
3
320
CDK Deployのための ”反響定位”
Avatar for watany watany
4
780
アーキテクチャモダナイゼーションとは何か
Avatar for nwiizo nwiizo
19
5.3k
YJITとZJITにはイカなる違いがあるのか?
Avatar for yamanao nakiym
0
220
PHPで TLSのプロトコルを実装してみるをもう一度しゃべりたい
Avatar for higaki higaki_program
0
210
クラウドネイティブなエンジニアに向ける Raycastの魅力と実際の活用事例
Avatar for Nealle nealle
2
200
Swift Concurrency Type System
Avatar for Yasuhiro Inami inamiy
0
530

Featured

See All Featured
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
260
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
254
22k
Building the Perfect Custom Keyboard
Avatar for Naoto Takai takai
2
730
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
120
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
240
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
330
Leo the Paperboy
Avatar for Maya Tellez mayatellez
7
1.7k
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
220
Making Projects Easy
Avatar for Brett Harned brettharned
120
6.6k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
9k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
2k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k

Transcript

  1. JSON Web Tokens Thameera Senanayaka

  2. @thameera twitter.com/thameera

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. JSON Web Tokens aka JWT

  18. RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between

    two parties

  19. JSON Web Token

  20. { "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]

    }

  21. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q

  22. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q

  23. JWT.io

  24. Demo

  25. Signing algorithms → HMAC → RSA → ECDSA

  26. Payload Reserved claims iss, sub, exp, aud, ...

  27. How to build a JWT

  28. payload { "name": "jon snow", "house": "stark", "sub": "1234" }

  29. base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi

    wic3ViIjoiMTIzNCJ9

  30. header { "typ": "JWT", "alg": "HS256" }

  31. base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

  32. signature signature = sign( bHeader + '.' + bPayload, secret

    ) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=

  33. Add everything together jwt = bHeader.bPayload.bSignature

  34. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=

  35. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=

  36. Live coding !

  37. Is the JWT encrypted?

  38. JWTs are signed, not encrypted

  39. How does the server know that we didn't mess with

    the JWT?

  40. Don't Reinvent The Wheel JWT libraries are available for almost

    every language and framework

  41. Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const

    token = jwt.sign({ name: 'thameera' }, 'mySecret123')

  42. Verifying a JWT const jwt = require('jsonwebtoken') try { const

    decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }

  43. Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain

  44. Sessions vs Tokens Pass by Reference vs Pass by Value

  45. Where to go from here?

  46. JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519

  47. JWT Handbook https://goo.gl/HyzEZA

  48. Thank you!