Read on Twitter
๐๐ฒ๐ฎ๐ฟ๐ป ๐๐ช๐ง ๐น๐ถ๐ธ๐ฒ ๐๐ผ๐'๐น๐น ๐ป๐ฒ๐๐ฒ๐ฟ ๐ณ๐ผ๐ฟ๐ด๐ฒ๐.
๐งต
๐งต
Before I tell you all the fun part.
First, it's important to understand two key concepts.
- ๐๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฎ๐๐ถ๐ผ๐ป
- ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
They are similar but not the same.
Let's see how ?
First, it's important to understand two key concepts.
- ๐๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฎ๐๐ถ๐ผ๐ป
- ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
They are similar but not the same.
Let's see how ?
Say you're a developer in a tech company.
Your company ID card is your ๐๐จ๐ง๐๐๐ก๐ง๐๐๐๐ง๐๐ข๐ก - it's your identity.
As a developer you're authorized to code push and deploy.
But you're not authorized to access mergers and acquisition data.
Your company ID card is your ๐๐จ๐ง๐๐๐ก๐ง๐๐๐๐ง๐๐ข๐ก - it's your identity.
As a developer you're authorized to code push and deploy.
But you're not authorized to access mergers and acquisition data.
These rules about who has access to what is known as ๐๐จ๐ง๐๐ข๐ฅ๐๐ฆ๐๐ง๐๐ข๐ก (used for access control, permissions etc.)
Here's is a sweet nugget to remember it forever:
Here's is a sweet nugget to remember it forever:
Since you've understood what AUTHORISATION is, you must also understand that
- Authentication and Authorisation go hand in hand.
- They are two independent concepts, yet you need them to work together for designing an effective ๐จ๐ฆ๐๐ฅ ๐ฆ๐๐ฆ๐ฆ๐๐ข๐ก ๐ ๐๐ก๐๐๐๐ ๐๐ก๐ง.
- Authentication and Authorisation go hand in hand.
- They are two independent concepts, yet you need them to work together for designing an effective ๐จ๐ฆ๐๐ฅ ๐ฆ๐๐ฆ๐ฆ๐๐ข๐ก ๐ ๐๐ก๐๐๐๐ ๐๐ก๐ง.
Now, let's see how to implement authentication and authorisation, and how tokens (JWTs) are useful.
A simple user session management service needs 2 things:
- who the user is : authentication
- do they have permissions to access the requested resource : authorisation
A simple user session management service needs 2 things:
- who the user is : authentication
- do they have permissions to access the requested resource : authorisation
Now, to design a system where all its resources are accessible to everyone is pretty simple.
No permission control, no authorisation required.
Everybody has access to every resource in the system, think of public CDNs.
No permission control, no authorisation required.
Everybody has access to every resource in the system, think of public CDNs.
The difficulties arise when the response from the server is dynamic.
Meaning userA logged in should not have access to userB's data.
Please understand, since http is a stateless protocol the server won't remember who is the request is coming from.
Meaning userA logged in should not have access to userB's data.
Please understand, since http is a stateless protocol the server won't remember who is the request is coming from.
To fix that, we need some sort of information ( unique token) with each request.
Using this token the server could easily identify the user.
Using this token the server could easily identify the user.
There are two methods in which web applications manage and remember users (sessions),
๐ญ - ๐ฆ๐ฒ๐๐๐ถ๐ผ๐ป ๐ฏ๐ฎ๐๐ฒ๐ฑ
๐ฎ - ๐ง๐ผ๐ธ๐ฒ๐ป ๐ฏ๐ฎ๐๐ฒ๐ฑ
๐ญ - ๐ฆ๐ฒ๐๐๐ถ๐ผ๐ป ๐ฏ๐ฎ๐๐ฒ๐ฑ
๐ฎ - ๐ง๐ผ๐ธ๐ฒ๐ป ๐ฏ๐ฎ๐๐ฒ๐ฑ
๐ฆ๐ฒ๐๐๐ถ๐ผ๐ป ๐ฏ๐ฎ๐๐ฒ๐ฑ
- when you authenticate, the server creates a session and keeps track of it itself
- it creates a session_id to associate with that session and gives it back to client
- think of it as a reference token, holds a reference to user state on the server
- when you authenticate, the server creates a session and keeps track of it itself
- it creates a session_id to associate with that session and gives it back to client
- think of it as a reference token, holds a reference to user state on the server
- for the subsequent requests the client passes this session_id to the server as a part of every requests.
- the most common approach is to save the session_id in a http cookie
Next, let's see Token Based Approach
- the most common approach is to save the session_id in a http cookie
Next, let's see Token Based Approach
๐ง๐ผ๐ธ๐ฒ๐ป ๐ฏ๐ฎ๐๐ฒ๐ฑ
- server gives the user the details itself
- server encrypts entire user details in the form of a single JSON token
- server doesn't have to remember anything
- it's the client's responsibility to get these details every time it makes the requests
- server gives the user the details itself
- server encrypts entire user details in the form of a single JSON token
- server doesn't have to remember anything
- it's the client's responsibility to get these details every time it makes the requests
- think of it as value token, it contains the entire user info
Both the methods have its own advantages and disadvantages, and we'll discuss that in a separate post.
For the purpose of this post, your focus should be on the TOKEN.
A token simply put is a string of random characters.
But what's so special about a JWT token ?
For the purpose of this post, your focus should be on the TOKEN.
A token simply put is a string of random characters.
But what's so special about a JWT token ?
The internet experts got together and drafted a neat way of token generation for data sharing on the internet.
That open standard is called RFC7519.
The cool name is JWT a.k.a JSON Web Token.
rfc-editor.org/rfc/rfc7519
That open standard is called RFC7519.
The cool name is JWT a.k.a JSON Web Token.
rfc-editor.org/rfc/rfc7519
Although, JWT is commonly used for managing authorisation.
The idea behind JWT is to define a standard way between two parties to communicate information securely.
RFC7519 standard simply dictates:
- how the JSON data should be structured
- ways to encrypt it
- ways to sign it
The idea behind JWT is to define a standard way between two parties to communicate information securely.
RFC7519 standard simply dictates:
- how the JSON data should be structured
- ways to encrypt it
- ways to sign it
In our token based method, JWT is the token, it follows the RFC7519 standard.
Now we've everything covered to learn about JWT.
Let's understand JWT and how JWT is the magic pill for almost all AUTHORISATION problems.
Now we've everything covered to learn about JWT.
Let's understand JWT and how JWT is the magic pill for almost all AUTHORISATION problems.
First, a JWT has a strictly defined structure to represent your data.
A JWT token structure contains three parts, each part is separated by a comma.
๐๐๐๐๐๐ฅ. ๐ฃ๐๐ฌ๐๐ข๐๐.๐ฆ๐๐๐ก๐๐ง๐จ๐ฅ๐
A JWT token structure contains three parts, each part is separated by a comma.
๐๐๐๐๐๐ฅ. ๐ฃ๐๐ฌ๐๐ข๐๐.๐ฆ๐๐๐ก๐๐ง๐จ๐ฅ๐
By now you would've understood that, a token is an imp. piece of information.
And, if a malicious user gets access to your JWT, they can impersonate you.
But token hijaking is not the problem what JWT solves.
I'm not gonna tell you why, follow me if you're curious. ๐
And, if a malicious user gets access to your JWT, they can impersonate you.
But token hijaking is not the problem what JWT solves.
I'm not gonna tell you why, follow me if you're curious. ๐
A JWT token simply ensures that, your data in not tempered.
To temper the data, you'll need the secret_key.
All this is achieved using the signature part of the token.
๐๐ถ๐ด๐ป๐ฎ๐๐๐ฟ๐ฒ = ๐๐๐๐๐๐ฅ + ๐ฃ๐๐ฌ๐๐ข๐๐ + ๐ฎ_๐๐ฒ๐ฐ๐ฟ๐ฒ๐_๐ธ๐ฒ๐
To temper the data, you'll need the secret_key.
All this is achieved using the signature part of the token.
๐๐ถ๐ด๐ป๐ฎ๐๐๐ฟ๐ฒ = ๐๐๐๐๐๐ฅ + ๐ฃ๐๐ฌ๐๐ข๐๐ + ๐ฎ_๐๐ฒ๐ฐ๐ฟ๐ฒ๐_๐ธ๐ฒ๐
Anyone who is in possession of this key can generate a new tokes with a valid signature.
Most commonly used crypto algorithms used for generating signatures are
- HS256
- RS256
Play around here , tweak the secret in the signature.
It'll all make sense.jwt.io
Most commonly used crypto algorithms used for generating signatures are
- HS256
- RS256
Play around here , tweak the secret in the signature.
It'll all make sense.jwt.io
Few other characteristics of a JWT token is that,
- it's compact,
- self contained
- and fast.
Compact because it's just a simple string.
It can be easily send/receive via URL, post, http headers etc
This also helps in faster transfer.
- it's compact,
- self contained
- and fast.
Compact because it's just a simple string.
It can be easily send/receive via URL, post, http headers etc
This also helps in faster transfer.
Self contained because, this encoded string contains all the required info about the user.
Fast because since you've all the info available in the token.
You can avoid making user details query to the database more than once.
Fast because since you've all the info available in the token.
You can avoid making user details query to the database more than once.
There is a lot more to cover about JWT, like, encryption, disadvantages, advantages etc..
For the curious ones, you go on to read about encryption, digital signature etc
I wanna keep going on and on, but I also want to hear your feedbacks, before I shove it all down.
For the curious ones, you go on to read about encryption, digital signature etc
I wanna keep going on and on, but I also want to hear your feedbacks, before I shove it all down.
For now, thanks for staying with me for so long.
Do visit my profile, @happydecoder see if you like my other tweets.
Don't hesitate to give a follow and Retweet.
Do visit my profile, @happydecoder see if you like my other tweets.
Don't hesitate to give a follow and Retweet.
https://twitter.com/happydecoder/status/1704748128682086778
โข โข โข
Missing some Tweet in this thread? You can try to
force a refresh
ใ
