Authentication using JSON Web Tokens (part I)
Explanation about JSON web tokens and how it can be used in the authentication
In this post, I will explain about JSON web tokens and how it can be used in the authentication.
What is JWT?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
JSON Web Tokens can be used to authorize and exchange information between parties.
JSON Web Tokens in the authorization
The most common scenario of using JWT. When the user is logged in using his username and password he gets a JSON web token which allows accessing routes, services, and resources that are permitted with that token. This is widely used because of its small overhead and its ability to be easily used across different domains.
JSON Web Tokens in exchange information
JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed — for example, using public/private key pairs — authenticity can be achieved. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with.
JWT structure
JSON web token contains the main 3 parts. Those parts are separated by a dot (.). Those main parts are,
- Header
The header consists of two parts: the type of the token(JWT), and the signing algorithm (HMAC SHA256 or RSA).
2. Payload
The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data.
3. Signature
The signature part takes the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
If you want to play with JWT and put these concepts into practice, you can use jwt.io Debugger to decode, verify, and generate JWTs.
How does the JSON Web Tokens are used in authentication?
In the first request, the client sends a POST request with the username and password. After successful authentication, the (authorization) server generates the JWT sends this JWT to the client. Whenever the client wants to access a protected route or resource, the client should send the JWT, typically in the Authorization header using the Bearer schema.
Using this token the server authenticates the user. So the client doesn’t need to send the user name and password to the server during each request for authentication. A JWT payload can contain things like user ID so that when the client again sends the JWT, you can be sure that it is issued by you, and you can see to whom it was issued.
I hope you got the basic idea of JSON web tokens and how it is used in the authentication. See you in the next post!
Level Up Coding
Thanks for being a part of our community! Subscribe to our YouTube channel or join the Skilled.dev coding interview course.
