What is Json Web Token? JWT Token Explained
Summary
TLDRThe video explains authentication and authorization processes to control access to web resources. It then introduces JSON Web Tokens (JWTs) - an industry standard for securely representing user identity and access claims. JWTs have three components - a header, payload, and signature. The header and payload contain metadata, while the signature verifies integrity. When a user logs in, the server returns a signed JWT containing the user's claims to the client. The client stores the JWT and includes it in future requests. The server validates the JWT signature and claims on each request before allowing access.
Takeaways
- 📝 JWTs allow secure representation of claims between parties
- 🔑 They contain 3 components: header, payload & signature
- 👤 Header & payload are encoded & signature verifies integrity
- 🔐 JWTs used for authentication & authorization
- 🛂 Server issues JWT when user logs in, client stores it
- ⚖️ JWT sent with subsequent requests to access resources
- ✅ Server validates JWT to allow/deny access to resources
- 😄 Custom claims can share info between agreed parties
- ⏱ JWT expiration times prevent reuse if compromised
- 👍 JWT becoming industry standard for authentication
Q & A
What is the difference between authentication and authorization?
-Authentication is the process of verifying the identity of a user. Authorization is the process of granting access to specific resources based on certain rules and policies.
What are the three main components of a JSON Web Token (JWT)?
-The three main components of a JWT are: the header, the payload, and the signature.
What kind of information is stored in the header and payload of a JWT?
-The header holds the token type and signing algorithm information. The payload holds claims about the user such as ID, role, or other custom claims.
What are the three types of claims that can be included in a JWT payload?
-The three types of claims are: registered claims, public claims, and private claims.
What is the purpose of the signature component in a JWT?
-The signature is used to verify that the JWT message was not tampered with along the way. It encodes the header, payload, and a secret key.
Where is the JWT token stored on the client side?
-The JWT token is most often stored in a session cookie inside the web browser on the client side.
How does the server validate incoming requests that contain a JWT?
-The server validates JWTs from incoming requests by decoding the token and checking factors like expiry, signature validity, and claims.
What does the server respond with if JWT validation fails?
-If JWT validation fails, the server responds with an unauthorized or unauthenticated error status code to deny access.
Why are JWTs useful for authentication?
-JWTs allow stateless authentication by encoding user data and credentials into a compact token that can be easily passed in requests for authorization.
When is a new JWT issued to the client?
-A new JWT is issued to the client upon successful login or authentication with the server.
Outlines
📝 What is JSON Web Token and How Does It Work for Authentication
This paragraph provides an introduction to authentication, authorization, and JSON web tokens. It explains that authentication verifies user identity while authorization controls access to resources. JSON web tokens are an industry standard for securely representing claims between parties, consisting of a header, payload, and signature.
❗️ How JSON Web Tokens Work in Practice for Login and Data Access
This paragraph illustrates how JSON web tokens work in practice using a web client-server example. It shows the flow of the user logging in, the server issuing a JWT, the client storing and sending the JWT with requests, and the server validating the JWT to allow or deny access.
Mindmap
Keywords
💡authentication
💡authorization
💡JSON Web Token (JWT)
💡header
💡payload
💡signature
💡registered claims
💡public claims
💡private claims
💡sign-in algorithm
Highlights
Authentication verifies user identity, authorization gives access to resources based on rules
JSON Web Token has header with token type and algorithm, payload with claims, and signature to verify integrity
Registered claims like ISS and EXP are standard, public claims are custom, private claims are for parties to share info
Signature encodes header and payload with secret key to detect tampering
When user logs in, server issues JWT with claims, browser stores it, then sends it with subsequent requests
On future requests, server validates JWT token before allowing access to resources
If JWT valid, server responds with data, if not valid responds with unauthorized error
JWT allows stateless authentication since token contains all the user info needed
Registered claims like ISS and EXP follow standard, avoid collisions with public/private claims
Private claims shared between agreeing parties like user role or ID
JSON Web Tokens became an industry standard for secure claims between parties
JWT payload holds claims, which are pieces of info like ISS, EXP, and SUB
Authorization gives access to resources based on user role assigned during registration
Amazon checks user role to determine if they can access order data or seller dashboard
JWT allows securely transmitting user identity and privileges for access control
Transcripts
today we'll talk about what a json web
token is and how it works
so let's get coding if you arrived at
this video you're probably no stranger
to the concept of authentication and
authorization but in summary
authentication is the process of
verifying the identity of a user or a
process what this means is that there
are certain rules and policies in place
to prevent unauthenticated users from
accessing certain pages or even data
let's take an e-commerce website for
example such as amazon so you're able to
uh access that website and to see a list
of products or at least the product that
you're looking for
in a list you're able to sort through it
and you're able to see prices and the
more details about the product and
reviews about it however what you're not
able to see
is a seller's dashboard with the
revenues and profits that the seller has
made and that is due to authentication
if you were to be a seller and you were
to be authenticated then you would have
had access to the seller's dashboard
failing that you don't have access to it
but you're authenticated on amazon say
and you don't have access to any
seller's dashboard and you might ask
yourself well i'm logged in why can't i
see any sellers dashboard well that's
because of authorization authorization
is the process of giving access to
specific resources based on certain
rules or policies if we take our example
when you go on amazon and you register
you register as a buyer therefore the
application assigns you a security role
of a buyer if you register as a seller
you guessed it you get assigned a role
of seller so this is how the application
knows the two different types of users
now that we understand these two very
important concepts authentication and
authorization we are now ready to talk
about json web token and according to
jwt.io a json web token is an industry
standard rfc 7519 method for
representing claims between two
different parties securely and i'll
explain what that means in a moment a
token as such is made of three main
components
a header a payload and a signature
and let's talk about each one of them in
particular so the header holds two
things the type of token identified with
typ notation and the sign-in algorithm
used under the alg notation in this case
the type of algorithm is jwt and the alg
is the
sha-256
or
as you see here hs256
the payload
holds claims and claims are just pieces
of information describing the subject
right there are three three types of
claims registered public and private
let's talk about them individually very
briefly registered claims are three
characters long and are not mandatory
but recommended some examples are iss
issuer exp
obviously the token expiration time and
sub subject or aud you'll see more often
meaning audience
so that's registered claims public
claims
these are custom claims that we can
define ourselves
be careful to avoid collisions however
with the private or registered ones and
i'll link you up with the full list of
registered claims in the description and
last but not least the private claims
created to share information between
parties that agree on using them some
examples are the user security role or
the user id
so the third component of a json web
token is the signature which is used to
verify the message
that the message wasn't tampered with
along the way and it holds three pieces
of data the encoded header
and the payload and the secret key if
this video is helpful to you so far why
not hit that like button so that this
video can spread to as many people as
possible i would really appreciate it
and i do weekly tutorials and
discussions such as this one so if
you're into this kind of content
consider subscribing now that we
understand what authentication means
what um authorization is and what a json
web token is and the the three main
components of it
let's switch over to a diagram that i've
got for you and let's explain how jwt
actually works okay so here we are and
on the left hand side we've got the
client and this is the user that goes on
say amazon and um we have here what i
wanted it to be a web page and this
represents the browser and then on the
on the right hand side we have the
server which is a place that users can
clients can access data through so that
could be
an api say for our example okay so the
very first thing for a user for the
client is to log in so the client
attempts the user attempts to log in
so what the server does is the point of
logging in obviously it logs the user in
if the user is
registered in the system and it issues a
jwt at that specific point so when the
user logs in so here we've got the jwt
the json web token this uh token
contains all the information that we've
talked about
previously um and uh this is issued on
the server side and is sent to the
client um with the response back from
the from the login request yeah and then
the client stores this
in the browser so this jwt is stored in
more often than not in a in a cookie in
a session cookie inside the browser b
chrome firefox you name it and then the
next thing that the client wants to do
say is
search for a product search for hair
products on amazon so that means that
the client sends a request to the server
and the server when the very next
request that comes to the server from
the client um
the server validates that jwt because
the jwt token is also sent along with
the request so say the user searches for
uh hair products in the search bar this
jwt goes along with the data that the
user
requested and at that point the server
can take this jwt and validate it and if
it's valid then the server responds back
with the 200 if it's not valid
and then the server responds back with
uh um
unauthenticated with a not authenticated
bet request
and
the server does not allow the client to
access
any resources because the jwt
is not valid but in our case everything
has gone smoothly the token has been
validated because it's just been issued
and it's not expired yet so everything
is okay
okay so this is in short what json web
token is why it's important and how it
works keep an eye out for a video that i
will be publishing very shortly to show
you how you can add authentication and
authorization to your asp.net core web
api with json web token matter of fact
check it out on screen right now if it
is available already until next time
stay safe
5.0 / 5 (0 votes)