Intro to JSON Web Tokens

Goals:

  1. Understand what a JSON Web Token is and how it's used
  2. Be able to protect a server-side endpoint with a JWT
  3. Understand similarities/differences between JWTs and other authentication methods

What if...

"someone discovers a server-side endpoint used for sharing private photographs"

We can protect access to this endpoint by requiring authentication through the use of a JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2V
ybmFtZSI6ImJyaXR0YW55IiwicGFzc3dvcmQiOiJoZWxsby
IsImlhdCI6MTQ5OTM0MjA5OSwiZXhwIjoxNDk5NTE0ODk5
fQ.PkWZL0OkYeNT1s5C2FUbB1XRpdo409A6ySa_d81dVgM

With a partner, discuss the following questions:

  1. What did you use API keys for? Why did you need them?
  2. How did you use them? Where did you put them in your codebase?
  3. What problems, if any, did you run into when using them?

What is a JWT?

  • a string
  • ...that is base64url-encoded
  • ...and contains authentication data for a particular user

Let's take a look at the anatomy of a JWT

How Can we use JWTs?

By passing them through a request to the server, either:

  • in the request body
  • as a query parameter
  • as an authorization header

Why do we use JWTs?

To verify that a request is coming from an authentic source

  • to prevent data from being exposed to unauthorized users
  • to limit access to features of an application
  • authentication does not equal full security

Resources