What is Json Web Token? JWT Token Explained

Code with Julian

7 Nov 202107:32

Summary

TLDRThe video explains authentication and authorization processes to control access to web resources. It then introduces JSON Web Tokens (JWTs) - an industry standard for securely representing user identity and access claims. JWTs have three components - a header, payload, and signature. The header and payload contain metadata, while the signature verifies integrity. When a user logs in, the server returns a signed JWT containing the user's claims to the client. The client stores the JWT and includes it in future requests. The server validates the JWT signature and claims on each request before allowing access.

Takeaways

📝 JWTs allow secure representation of claims between parties
🔑 They contain 3 components: header, payload & signature
👤 Header & payload are encoded & signature verifies integrity
🔐 JWTs used for authentication & authorization
🛂 Server issues JWT when user logs in, client stores it
⚖️ JWT sent with subsequent requests to access resources
✅ Server validates JWT to allow/deny access to resources
😄 Custom claims can share info between agreed parties
⏱ JWT expiration times prevent reuse if compromised
👍 JWT becoming industry standard for authentication

Q & A

What is the difference between authentication and authorization?
-Authentication is the process of verifying the identity of a user. Authorization is the process of granting access to specific resources based on certain rules and policies.
What are the three main components of a JSON Web Token (JWT)?
-The three main components of a JWT are: the header, the payload, and the signature.
What kind of information is stored in the header and payload of a JWT?
-The header holds the token type and signing algorithm information. The payload holds claims about the user such as ID, role, or other custom claims.
What are the three types of claims that can be included in a JWT payload?
-The three types of claims are: registered claims, public claims, and private claims.
What is the purpose of the signature component in a JWT?
-The signature is used to verify that the JWT message was not tampered with along the way. It encodes the header, payload, and a secret key.
Where is the JWT token stored on the client side?
-The JWT token is most often stored in a session cookie inside the web browser on the client side.
How does the server validate incoming requests that contain a JWT?
-The server validates JWTs from incoming requests by decoding the token and checking factors like expiry, signature validity, and claims.
What does the server respond with if JWT validation fails?
-If JWT validation fails, the server responds with an unauthorized or unauthenticated error status code to deny access.
Why are JWTs useful for authentication?
-JWTs allow stateless authentication by encoding user data and credentials into a compact token that can be easily passed in requests for authorization.
When is a new JWT issued to the client?
-A new JWT is issued to the client upon successful login or authentication with the server.