What is Json Web Token? JWT Token Explained

00:00

today we'll talk about what a json web

00:02

token is and how it works

00:05

so let's get coding if you arrived at

00:07

this video you're probably no stranger

00:09

to the concept of authentication and

00:11

authorization but in summary

00:13

authentication is the process of

00:15

verifying the identity of a user or a

00:17

process what this means is that there

00:19

are certain rules and policies in place

00:21

to prevent unauthenticated users from

00:23

accessing certain pages or even data

00:26

let's take an e-commerce website for

00:27

example such as amazon so you're able to

00:29

uh access that website and to see a list

00:32

of products or at least the product that

00:34

you're looking for

00:36

in a list you're able to sort through it

00:39

and you're able to see prices and the

00:40

more details about the product and

00:42

reviews about it however what you're not

00:45

able to see

00:46

is a seller's dashboard with the

00:48

revenues and profits that the seller has

00:51

made and that is due to authentication

00:53

if you were to be a seller and you were

00:56

to be authenticated then you would have

00:58

had access to the seller's dashboard

01:00

failing that you don't have access to it

01:03

but you're authenticated on amazon say

01:05

and you don't have access to any

01:07

seller's dashboard and you might ask

01:09

yourself well i'm logged in why can't i

01:12

see any sellers dashboard well that's

01:14

because of authorization authorization

01:17

is the process of giving access to

01:19

specific resources based on certain

01:22

rules or policies if we take our example

01:25

when you go on amazon and you register

01:27

you register as a buyer therefore the

01:30

application assigns you a security role

01:32

of a buyer if you register as a seller

01:35

you guessed it you get assigned a role

01:37

of seller so this is how the application

01:39

knows the two different types of users

01:42

now that we understand these two very

01:43

important concepts authentication and

01:45

authorization we are now ready to talk

01:47

about json web token and according to

01:50

jwt.io a json web token is an industry

01:53

standard rfc 7519 method for

01:57

representing claims between two

01:58

different parties securely and i'll

02:02

explain what that means in a moment a

02:04

token as such is made of three main

02:07

components

02:09

a header a payload and a signature

02:12

and let's talk about each one of them in

02:15

particular so the header holds two

02:17

things the type of token identified with

02:20

typ notation and the sign-in algorithm

02:24

used under the alg notation in this case

02:27

the type of algorithm is jwt and the alg

02:31

is the

02:32

sha-256

02:34

or

02:35

as you see here hs256

02:39

the payload

02:41

holds claims and claims are just pieces

02:43

of information describing the subject

02:45

right there are three three types of

02:47

claims registered public and private

02:51

let's talk about them individually very

02:53

briefly registered claims are three

02:55

characters long and are not mandatory

02:57

but recommended some examples are iss

03:00

issuer exp

03:03

obviously the token expiration time and

03:05

sub subject or aud you'll see more often

03:10

meaning audience

03:12

so that's registered claims public

03:14

claims

03:15

these are custom claims that we can

03:17

define ourselves

03:19

be careful to avoid collisions however

03:21

with the private or registered ones and

03:23

i'll link you up with the full list of

03:26

registered claims in the description and

03:28

last but not least the private claims

03:30

created to share information between

03:31

parties that agree on using them some

03:34

examples are the user security role or

03:36

the user id

03:38

so the third component of a json web

03:40

token is the signature which is used to

03:42

verify the message

03:44

that the message wasn't tampered with

03:46

along the way and it holds three pieces

03:48

of data the encoded header

03:51

and the payload and the secret key if

03:53

this video is helpful to you so far why

03:55

not hit that like button so that this

03:57

video can spread to as many people as

03:58

possible i would really appreciate it

04:00

and i do weekly tutorials and

04:02

discussions such as this one so if

04:03

you're into this kind of content

04:05

consider subscribing now that we

04:07

understand what authentication means

04:09

what um authorization is and what a json

04:12

web token is and the the three main

04:14

components of it

04:16

let's switch over to a diagram that i've

04:17

got for you and let's explain how jwt

04:21

actually works okay so here we are and

04:24

on the left hand side we've got the

04:26

client and this is the user that goes on

04:30

say amazon and um we have here what i

04:34

wanted it to be a web page and this

04:37

represents the browser and then on the

04:39

on the right hand side we have the

04:41

server which is a place that users can

04:45

clients can access data through so that

04:48

could be

04:49

an api say for our example okay so the

04:52

very first thing for a user for the

04:54

client is to log in so the client

04:58

attempts the user attempts to log in

05:01

so what the server does is the point of

05:03

logging in obviously it logs the user in

05:06

if the user is

05:08

registered in the system and it issues a

05:11

jwt at that specific point so when the

05:14

user logs in so here we've got the jwt

05:17

the json web token this uh token

05:19

contains all the information that we've

05:21

talked about

05:23

previously um and uh this is issued on

05:26

the server side and is sent to the

05:28

client um with the response back from

05:32

the from the login request yeah and then

05:35

the client stores this

05:37

in the browser so this jwt is stored in

05:41

more often than not in a in a cookie in

05:44

a session cookie inside the browser b

05:46

chrome firefox you name it and then the

05:50

next thing that the client wants to do

05:53

say is

05:54

search for a product search for hair

05:58

products on amazon so that means that

06:01

the client sends a request to the server

06:04

and the server when the very next

06:08

request that comes to the server from

06:10

the client um

06:12

the server validates that jwt because

06:16

the jwt token is also sent along with

06:20

the request so say the user searches for

06:24

uh hair products in the search bar this

06:27

jwt goes along with the data that the

06:30

user

06:32

requested and at that point the server

06:34

can take this jwt and validate it and if

06:37

it's valid then the server responds back

06:40

with the 200 if it's not valid

06:43

and then the server responds back with

06:46

uh um

06:47

unauthenticated with a not authenticated

06:50

bet request

06:52

and

06:53

the server does not allow the client to

06:56

access

06:57

any resources because the jwt

07:00

is not valid but in our case everything

07:03

has gone smoothly the token has been

07:05

validated because it's just been issued

07:07

and it's not expired yet so everything

07:09

is okay

07:11

okay so this is in short what json web

07:13

token is why it's important and how it

07:16

works keep an eye out for a video that i

07:18

will be publishing very shortly to show

07:20

you how you can add authentication and

07:21

authorization to your asp.net core web

07:24

api with json web token matter of fact

07:26

check it out on screen right now if it

07:28

is available already until next time

07:31

stay safe