Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

Avatar for Thameera Senanayaka Thameera Senanayaka
August 17, 2017
Programming
1
240

JSON Web Tokens

Event: Colombo JavaScript Meetup
Date: 2017/08/17

Avatar for Thameera Senanayaka

Thameera Senanayaka

August 17, 2017
Tweet

Other Decks in Programming

See All in Programming
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
300
Go Conference 2025: Goで体感するMultipath TCP ― Go 1.24 時代の MPTCP Listener を理解する
Avatar for Takeru Hayasaka takehaya
9
1.7k
Advance Your Career with Open Source
Avatar for ivargrimstad ivargrimstad
0
480
Go言語はstack overflowの夢を見るか?
Avatar for Takuto Nagami logica0419
0
120
非同期jobをtransaction内で 呼ぶなよ!絶対に呼ぶなよ!
Avatar for Yuto Urushima alstrocrack
0
710
AI Coding Meetup #3 - 導入セッション / ai-coding-meetup-3
Avatar for Masayuki Izumi izumin5210
0
3.3k
GraphQL×Railsアプリのデータベース負荷分散 - 月間3,000万人利用サービスを無停止で
Avatar for Koya Masuda koxya
1
1.3k
Le côté obscur des IA génératives
Avatar for Pascal Le Merrer pascallemerrer
0
140
iOSエンジニア向けの英語学習アプリを作る!
Avatar for yukawashouhei yukawashouhei
0
190
PHPに関数型の魂を宿す〜PHP 8.5 で実現する堅牢なコードとは〜 #phpcon_hiroshima / phpcon-hiroshima-2025
Avatar for shogogg shogogg
1
140
What's new in Spring Modulith?
Avatar for Oliver Drotbohm olivergierke
1
140
大規模アプリのDIフレームワーク刷新戦略 ~過去最大規模の並行開発を止めずにアプリ全体に導入するまで~
Avatar for GO Inc. dev mot_techtalk
1
430

Featured

See All Featured
Done Done
Avatar for chrislema chrislema
185
16k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.9k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
79
6k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.8k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.2k
It's Worth the Effort
Avatar for 3n 3n
187
28k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
127
53k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
21k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
274
41k

Transcript

  1. JSON Web Tokens Thameera Senanayaka

  2. @thameera twitter.com/thameera

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. JSON Web Tokens aka JWT

  18. RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between

    two parties

  19. JSON Web Token

  20. { "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"]

    }

  21. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q

  22. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q

  23. JWT.io

  24. Demo

  25. Signing algorithms → HMAC → RSA → ECDSA

  26. Payload Reserved claims iss, sub, exp, aud, ...

  27. How to build a JWT

  28. payload { "name": "jon snow", "house": "stark", "sub": "1234" }

  29. base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi

    wic3ViIjoiMTIzNCJ9

  30. header { "typ": "JWT", "alg": "HS256" }

  31. base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

  32. signature signature = sign( bHeader + '.' + bPayload, secret

    ) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=

  33. Add everything together jwt = bHeader.bPayload.bSignature

  34. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=

  35. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=

  36. Live coding !

  37. Is the JWT encrypted?

  38. JWTs are signed, not encrypted

  39. How does the server know that we didn't mess with

    the JWT?

  40. Don't Reinvent The Wheel JWT libraries are available for almost

    every language and framework

  41. Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const

    token = jwt.sign({ name: 'thameera' }, 'mySecret123')

  42. Verifying a JWT const jwt = require('jsonwebtoken') try { const

    decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }

  43. Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain

  44. Sessions vs Tokens Pass by Reference vs Pass by Value

  45. Where to go from here?

  46. JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519

  47. JWT Handbook https://goo.gl/HyzEZA

  48. Thank you!