Clever Geek Handbook

Where do I need to use JWT?

structure and protocol aside, I was wondering where the JWT fits into the client / server communication?

  • Is there a need to replace authentication and session session cookies here?
  • Is there a need to dump the session token storage servers in the database or in memory?
  • Is it for clients to make sure they are getting data from the server they expect, and if that's not a problem, I don't need a JWT?
  • Is it necessary or good practice to communicate between server and server when the connection is HTTPS / SSL?
+4


source to share


3 answers


What is JWT?

It is a token that can only be generated by the server and can contain a data payload.

What is the point?

The JWT payload can contain things like a user ID, so when a client sends you a JWT, you can be sure that it was issued to you and you can see who needed it.

Where can this be useful?



Usually, in a RESTful API, where the server shouldn't be using any sessions.

How is it different from using sessions?

  • In a typical session stream, the browser sends a cookie containing a token , which is then matched on the server with some data that the server uses to authenticate the user.

  • In a JWT stream , the token itself contains data. The server decrypts the token to authenticate only the user. The data is not stored on the server.

What is the regular authentication flow using JWT?

  • User credentials sent to /signin

  • /signin

    returns JWT
  • JWT is stored in localStorage

  • JWT is sent on every request (to the API?)
  • The server decrypts the JWT and extracts the user ID from it
  • The server sends the response provided to the authenticated user.
+3


source


JWT is just a popular JSON based security token format.

JWT tokens are not meant to replace session cookies. They are mainly used to secure web API (data request). Session cookies, on the other hand, are used in web applications where you log in and automatically send cookies with every request (request pages).

JWT tokens are included in the HTTP Authorization header as part of the bearer authentication scheme. The main advantages of using bearer authentication is that it is not vulnerable to CSRF attacks, as your script must explicitly attach the token to the request and can be used cross-domain (unlike cookies).



Media schema authentication requires HTTPS connections, as anyone who manages to steal the token can use it to access the API as long as the token is valid.

Security protocols like OAuth2 use JWT tokens to secure the API. OpenID Connect uses JWT tokens to authenticate web applications, but stores the token in a cookie.

Since JWT tokens are digitally signed by the issuer (the server authenticates), they can be verified without having to talk to the server again. Digital signatures allow you to sign a piece of data (in this case, a JWT token) with a private key, and the server receiving the token only needs the public key to make sure none of the data has been changed. Thus, the API server only needs the public key (which is not secret) from the authorization server in order to trust the tokens it issues. The API client brings in a token and the API server can verify it without going to the authorization server.

+10


source


IMO JWT is mostly useful when the issuer (which generates the JWT) and the recipients (which validate the JWT) belong to different autonomous parties. While this is possible, there is no need to replace authentication / session-cookie / token-storage / etc with JWT.

0


source






More articles:


All Articles