๐ก๐๐ก๐๐ญ ๐๐ซ๐ ๐๐๐๐ฌ?๐ก
If you work with APIs, you've probably come across JWTs. JWT stands for ๐๐๐๐ ๐๐๐ ๐๐จ๐ค๐๐ง, and it's a JSON document that contains information about a user. We call the properties of a JWT claims.
๐งต๐งต๐งต๐งต
1/
#API #jwt #auth #WebSecurity
If you work with APIs, you've probably come across JWTs. JWT stands for ๐๐๐๐ ๐๐๐ ๐๐จ๐ค๐๐ง, and it's a JSON document that contains information about a user. We call the properties of a JWT claims.
๐งต๐งต๐งต๐งต
1/
#API #jwt #auth #WebSecurity
There're two types of JWTs:
๐ ๐๐ ๐ญ๐จ๐ค๐๐ง๐ฌ are tokens carrying user-identifying data like their name and email. You should ๐๐๐๐๐ use an ID token to validate access to an API.
๐ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ๐ค๐๐ง๐ฌ are tokens with claims about the right to access an API.
2/
๐ ๐๐ ๐ญ๐จ๐ค๐๐ง๐ฌ are tokens carrying user-identifying data like their name and email. You should ๐๐๐๐๐ use an ID token to validate access to an API.
๐ ๐๐๐๐๐ฌ๐ฌ ๐ญ๐จ๐ค๐๐ง๐ฌ are tokens with claims about the right to access an API.
2/
We use access tokens to validate access to an API.
A JWT has three components: header, payload, and signature
๐
๐ธ ๐๐๐๐๐๐ซ: it identifies the document as a JWT and contains metadata, such as the algorithm and the key ID used to sign the token.
3/
A JWT has three components: header, payload, and signature
๐
๐ธ ๐๐๐๐๐๐ซ: it identifies the document as a JWT and contains metadata, such as the algorithm and the key ID used to sign the token.
3/
๐ธ ๐๐๐ฒ๐ฅ๐จ๐๐: the set of claims that a) identify a user in ID tokens or b) claim the user's access to the API (access tokens).
๐ธ ๐๐ข๐ ๐ง๐๐ญ๐ฎ๐ซ๐: a signature produced by combining the header and the payload. The signature verifies that the JWT is legit.
4/
๐ธ ๐๐ข๐ ๐ง๐๐ญ๐ฎ๐ซ๐: a signature produced by combining the header and the payload. The signature verifies that the JWT is legit.
4/
๐๐๐ ๐๐ฅ๐๐ข๐ฆ๐ฌ
The standard claims of an access token are:
- ๐ข๐ฌ๐ฌ (issuer): identifies the authorization server that issued the JWT.
- ๐ฌ๐ฎ๐ (subject): identifies the subject of the JWT, i.e. the user sending the request to the server.
5/
The standard claims of an access token are:
- ๐ข๐ฌ๐ฌ (issuer): identifies the authorization server that issued the JWT.
- ๐ฌ๐ฎ๐ (subject): identifies the subject of the JWT, i.e. the user sending the request to the server.
5/
- ๐๐ฎ๐ (audience): the JWT's recipient (aka the API server).
- ๐๐ฑ๐ฉ (expiration time): when the JWT expires.
- ๐ง๐๐ (not before time): time before which the JWT mustn't be accepted.
- ๐ข๐๐ญ (issued at time): when the JWT was issued.
- ๐ฃ๐ญ๐ข (JWT ID): a JWT unique ID.
6/
- ๐๐ฑ๐ฉ (expiration time): when the JWT expires.
- ๐ง๐๐ (not before time): time before which the JWT mustn't be accepted.
- ๐ข๐๐ญ (issued at time): when the JWT was issued.
- ๐ฃ๐ญ๐ข (JWT ID): a JWT unique ID.
6/
๐๐๐ ๐ฌ๐ข๐ ๐ง๐ข๐ง๐ ๐๐ฅ๐ ๐จ๐ซ๐ข๐ญ๐ก๐ฆ๐ฌ
JWTs are signed using the HS256 and the RS256 algorithms:
๐ถ ๐๐๐๐๐ uses a secret to encrypt the token.
๐ถ ๐๐๐๐๐ uses a private/public key.
We use this info to apply the right algorithm to verify the tokenโs signature.
7/
JWTs are signed using the HS256 and the RS256 algorithms:
๐ถ ๐๐๐๐๐ uses a secret to encrypt the token.
๐ถ ๐๐๐๐๐ uses a private/public key.
We use this info to apply the right algorithm to verify the tokenโs signature.
7/
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
