Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JSON Web Tokens
Search
Thameera Senanayaka
August 17, 2017
Programming
1
230
JSON Web Tokens
Event: Colombo JavaScript Meetup
Date: 2017/08/17
Thameera Senanayaka
August 17, 2017
Tweet
Share
Other Decks in Programming
See All in Programming
Reactの歴史を振り返る
tutinoko
1
150
AIのメモリー
watany
11
1.1k
AIに安心して任せるためにTypeScriptで一意な型を作ろう
arfes0e2b3c
0
280
はじめてのWeb API体験 ー 飲食店検索アプリを作ろうー
akinko_0915
0
180
0から始めるモジュラーモノリス-クリーンなモノリスを目指して
sushi0120
0
210
DataformでPythonする / dataform-de-python
snhryt
0
100
QA x AIエコシステム段階構築作戦
osu
0
220
iOS開発スターターキットの作り方
akidon0000
0
220
中級グラフィックス入門~効率的なメッシュレット描画~
projectasura
3
1.9k
Vibe Codingの幻想を超えて-生成AIを現場で使えるようにするまでの泥臭い話.ai
fumiyakume
20
9.6k
抽象化という思考のツール - 理解と活用 - / Abstraction-as-a-Tool-for-Thinking
shin1x1
1
890
MCP連携で加速するAI駆動開発/mcp integration accelerates ai-driven-development
bpstudy
0
170
Featured
See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Building Applications with DynamoDB
mza
95
6.5k
For a Future-Friendly Web
brad_frost
179
9.8k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Designing for humans not robots
tammielis
253
25k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
KATA
mclloyd
31
14k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.1k
Transcript
JSON Web Tokens Thameera Senanayaka
@thameera twitter.com/thameera
None
None
None
None
None
None
None
None
None
None
None
None
None
None
JSON Web Tokens aka JWT
RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between
two parties
JSON Web Token
{ "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q
JWT.io
Demo
Signing algorithms → HMAC → RSA → ECDSA
Payload Reserved claims iss, sub, exp, aud, ...
How to build a JWT
payload { "name": "jon snow", "house": "stark", "sub": "1234" }
base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi
wic3ViIjoiMTIzNCJ9
header { "typ": "JWT", "alg": "HS256" }
base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
signature signature = sign( bHeader + '.' + bPayload, secret
) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=
Add everything together jwt = bHeader.bPayload.bSignature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=
Live coding !
Is the JWT encrypted?
JWTs are signed, not encrypted
How does the server know that we didn't mess with
the JWT?
Don't Reinvent The Wheel JWT libraries are available for almost
every language and framework
Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const
token = jwt.sign({ name: 'thameera' }, 'mySecret123')
Verifying a JWT const jwt = require('jsonwebtoken') try { const
decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }
Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain
Sessions vs Tokens Pass by Reference vs Pass by Value
Where to go from here?
JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519
JWT Handbook https://goo.gl/HyzEZA
Thank you!