Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

Avatar for Thameera Senanayaka Thameera Senanayaka
August 17, 2017
Programming
1
260

JSON Web Tokens

Event: Colombo JavaScript Meetup
Date: 2017/08/17

Avatar for Thameera Senanayaka

Thameera Senanayaka

August 17, 2017
Tweet

Other Decks in Programming

See All in Programming
SourceGeneratorのススメ
Avatar for tkym htkym
0
160
AIによるイベントストーミング図からのコード生成 / AI-powered code generation from Event Storming diagrams
Avatar for nrs nrslib
2
1.7k
CSC307 Lecture 02
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
770
なるべく楽してバックエンドに型をつけたい!(楽とは言ってない)
Avatar for HIBIKI CUBE hibiki_cube
0
130
プロダクトオーナーから見たSOC2 _SOC2ゆるミートアップ#2
Avatar for Kenta Suzuki kekekenta
0
120
The Art of Re-Architecture - Droidcon India 2025
Avatar for Sid Patil siddroid
0
170
カスタマーサクセス業務を変革したヘルススコアの実現と学び
Avatar for Tomoyuki Hamaguchi _hummer0724
0
420
Grafana:建立系統全知視角的捷徑
Avatar for Blueswen blueswen
0
310
LLM Observabilityによる 対話型音声AIアプリケーションの安定運用
Avatar for Hiroyuki Moriya gekko0114
2
400
Graviton と Nitro と私
Avatar for maroon1st maroon1st
0
180
CSC307 Lecture 06
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
670
Data-Centric Kaggle
Avatar for ねぼすけAI isax1015
2
710

Featured

See All Featured
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
5
35k
Navigating Weather and Climate Data
Avatar for Ryan Abernathey rabernat
0
80
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.7k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.1M
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
420
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
71k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
38
2.7k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.2k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
330
40k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.7k
Leo the Paperboy
Avatar for Maya Tellez mayatellez
4
1.3k
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
190

Transcript

  1. JSON Web Tokens Thameera Senanayaka

  2. @thameera twitter.com/thameera

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. JSON Web Tokens aka JWT

  18. RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between

    two parties

  19. JSON Web Token

  20. { "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]

    }

  21. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q

  22. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q

  23. JWT.io

  24. Demo

  25. Signing algorithms → HMAC → RSA → ECDSA

  26. Payload Reserved claims iss, sub, exp, aud, ...

  27. How to build a JWT

  28. payload { "name": "jon snow", "house": "stark", "sub": "1234" }

  29. base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi

    wic3ViIjoiMTIzNCJ9

  30. header { "typ": "JWT", "alg": "HS256" }

  31. base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

  32. signature signature = sign( bHeader + '.' + bPayload, secret

    ) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=

  33. Add everything together jwt = bHeader.bPayload.bSignature

  34. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=

  35. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=

  36. Live coding !

  37. Is the JWT encrypted?

  38. JWTs are signed, not encrypted

  39. How does the server know that we didn't mess with

    the JWT?

  40. Don't Reinvent The Wheel JWT libraries are available for almost

    every language and framework

  41. Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const

    token = jwt.sign({ name: 'thameera' }, 'mySecret123')

  42. Verifying a JWT const jwt = require('jsonwebtoken') try { const

    decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }

  43. Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain

  44. Sessions vs Tokens Pass by Reference vs Pass by Value

  45. Where to go from here?

  46. JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519

  47. JWT Handbook https://goo.gl/HyzEZA

  48. Thank you!