Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
  • Introduction to JWT

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 2.15k
    Comment on it

    With API becoming so popular these days thanks to SPA base applications, it was also required to keep these APIs secure. So the most popular of securing api's is token based authentication, whose flow is little bit like this:

    1. In the browser User enters his username and password and the request goes from the client application to the server.

    2. Server checks for the user, authenticates it and sends a unique token to the user's client application.

    3. The client application stores the token in a session or cookies, and sends it back with each subsiquent request.

    4. The server receives every request that requires authentication and uses the token to authenticate the user and return the requested data back to the client applicaion.

    5. When someone logsout, the client application removes that token, and so that subsequent request to rails from the client becomes unauthorized.


    So there are few shortcomings of this approach, that we are required to store each token in our database and fetch it everytime time a request comes to check for authenticating. Now another is, if we store same token to the DB, it is not secure and if we use handshaking to change the token with every request, then it will be difficult to handle the multidevice login.

    So to fix the above problems of the token based authentication JWT came into picture.

    JWT's full form is JSON Web Token. It is based on the concept that, it encrypts the authentication information into a compact JSON object, instead of passing the unique token of the user, which was required to be stored in the DB.

    Now lets see how this changes the above process of simple token based authentications:

    1. In the browser User enters his username and password and the request goes from the client application to the server.

    2. Server receives the request, and authenticates the user.

    3. At the server, JWT is used to encrypts some user information say username, email or password or combination of any of them, into a compact JSON web token.

    4. This token is included in the response and is sends back to the user.

    5. The client app stores the token in session or cookies and send it with every subsequent request.
    6. Now the server decodes the token and verifies the authentication of the user.

    So one thing is sure, we are not needed to store the token in our database. In case you are still not clear with its exact flow you can go through

    The JWT token comprises of 3 parts:
    1. header: It describes the encryption algorithm and type of token.
    2. payload: The user data (i.e. email, user name, password etc).
    3. signature: special combo of header info + payload to ensure that the sender of token is valid.

    So if we are encoding the token like this:

    JWT.encode({email: "", password: "somepassword"}, hmac, "H256")

    We will get something like this:


    And after decoding it, you will get your original json again.

    Hope you liked reading it. Will come up with more information regarding JWT and how we can use it with rails soon.


 0 Comment(s)

Sign In

Sign up using

Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: