SlideShare a Scribd company logo

Using JSON Web Tokens for REST Authentication

Mediacurrent
Mediacurrent

The document provides an overview of JSON Web Tokens (JWTs) for REST authentication, detailing their structure and how they facilitate stateless communication in decoupled architectures. It compares JWTs with other authentication methods, highlighting their advantages such as scalability and being digitally signed, as well as drawbacks like token size and revocation challenges. The content also discusses the implementation of JWTs in Drupal, including relevant modules and their functionality.

Technology
1 of 43
Downloaded 44 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
By: Edward Chan Using JSON Web Tokens for REST Authentication
Introduction Edward Chan @edwardchiapet linkedin.com/in/edwardchan1350 drupal.org/u/edwardchiapet Edward is an NYC-based Drupal Developer at Mediacurrent. He started working with Drupal in 2012 and has experience building Drupal sites in D6/7/8. He just recently became interested in decoupled architecture and has experience building and using Drupal as a backend service. He maintains the Quill and Autocomplete Deluxe modules. Drupal Developer 2 github.com/edwardchan
About 3 Mediacurrent helps organizations build highly impactful, elegantly designed Drupal websites that achieve the strategic results they need. ● Single-source provider ● Specializing in Drupal since 2007 ● Headquartered in Atlanta, GA ● Team of 70+ Drupal Experts including development, design and strategy ● Clients include: Large Enterprise and high-profile global brands
Style Guide Agenda Introduction to JSON Web Tokens (JWT) Authenticating REST in Drupal Comparing JWTs with other methods4 3 2 1 4 How It Works
JSON Web Tokens in Decoupled Architecture 5 ● Separation of concerns ● True statelessness ● Flexibility Introduction to JSON Web Tokens (JWT)
Introduction to JSON Web Tokens (JWT)1
What is JSON Web Token (JWT)? 7 “JSON Web Tokens are an open, industry standard RFC 7519 method that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA...” - https://jwt.io/introduction Introduction to JSON Web Tokens (JWT)
What is JSON Web Token (JWT)? 8 ● Simply a string in the format of header.payload.signature ● A means of representing claims to be transferred between two parties. ● Intended for space-constrained environments such as HTTP Authorization headers and URI query parameters. ● Digitally-signed - information is verified and trusted. Introduction to JSON Web Tokens (JWT)
What is JSON Web Token (JWT)? 9 ● A JWT is a type of either JSON Web Signature (JWS) or JSON Web Encryption (JWE). ● The “claims” in a JWT are encoded as a JSON object that it is digitally-signed using JWS and/or encrypted using JWE. ● JWS is used in most cases. ● The suggested/formal pronunciation of JWT is “jot”. Introduction to JSON Web Tokens (JWT)
JSON Web Token Structure 10 Introduction to JSON Web Tokens (JWT)
JSON Web Token Structure 11 Introduction to JSON Web Tokens (JWT) Header . Payload . Signature
JSON Web Token Structure - Header 12 Introduction to JSON Web Tokens (JWT) ● Contains information about how the JWT should be computed. ● Typically contains: ○ “typ” - type of the token (“JWT”) ○ “alg” - signing hashing algorithm being used to sign or encrypt the JWT - such as HMAC SHA256 or RSA ● Example:
JSON Web Token Structure - Payload 13 Introduction to JSON Web Tokens (JWT) ● Contains the “claims set”, which is information we want to transmit and other information about the token. ● Types of claims: ○ Reserved - predefined claims that are recommended. ○ Public - claims that we create ourselves ○ Private - custom claims that are usually more specific to the application you’re connecting to ● A list of predefined claims can be found in the IANA JSON Web Token Registry (https://www.iana.org/assignments/jwt/jwt.xhtml).
JSON Web Token Structure - Payload 14 Introduction to JSON Web Tokens (JWT) exp Expiration time iss Token issuer iat Time the JWT was issued nbf Not before Some reserved claim names:
JSON Web Token Structure - Signature 15 Introduction to JSON Web Tokens (JWT) ● Used to verify that the sender of the JWT is legitimate and to ensure that the message was not changed or altered along the way. ● Value is generated by hashing the following using the signing algorithm specified in the “header”: ○ base64UrlEncode(header) + “.” + base64UrlEncode(payload) ○ a “secret” (held by the server and will be used to verify existing tokens and sign new ones)
JSON Web Token Structure - Signature 16 Introduction to JSON Web Tokens (JWT) Example of generating the signature using HMAC SHA256: var encodedHeader = base64UrlEncode(header); var encodedPayload = base64UrlEncode(payload); var signature = base64UrlEncode(HMACSHA256(encodedHeader + “.” + encodedPayload, secret));
JSON Web Signature (JWS) Compact Serialization 17 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott (encoded header) (encoded payload)
JSON Web Signature (JWS) Compact Serialization 18 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott (encoded header) (encoded payload)
JSON Web Signature (JWS) Compact Serialization 19 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott
JSON Web Signature (JWS) Compact Serialization 20 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott
How It Works2
22 Authentication Process How It Works
23 Authentication Process How It Works
24 Authentication Process How It Works Bouncer with a guest list (server and a database)
25 Authentication Process How It Works Yourself and your ID (username and password)
26 Authentication Process How It Works Identity verified! (login credentials valid)
27 Authentication Process How It Works Wristband (JWT)
28 Authentication Process How It Works
29 Authentication Process How It Works Bar (Resource server)
30 Authentication Process How It Works Consume API Resources
31 Authentication Process How It Works JWT expires (“exp”)
32 Authentication Process Image source: https://jwt.io/introduction/ How It Works
33 Authentication Process How It Works Image source: https://jwt.io/introduction/
How does JWT protect our data? 34 Introduction to JSON Web Tokens (JWT) ● Used to verify the authenticity of the source that sent the data. ● Short expiry times. ● Retrieving a new JWT requires a valid refresh token. ● A signed JWT does not hide or obscure data in any way
Using JWTs to Authenticate REST in Drupal3
“JSON Web Token Authentication (JWT)” module 36 Using JWTs to Authenticate REST in Drupal ● https://www.drupal.org/project/jwt ● Depends on the “Key” module to manage secret keys. ● “JWT Authentication Issuer” - provides an endpoint to issue JWTs. ● “JWT Authentication Consumer” - authenticates JWTs generated by “JWT Authentication Issuer”. ● Provides 3 events for event subscribers: ○ VALIDATE Allows for custom validations for a JWT. ○ VALID Fires after a token has been validated. Subscribers can create new users based on the payload, if necessary. ○ GENERATE Fires before a new JWT is encoded. Subscribers can add claims to the JWT before it is given to the client.
“JSON Web Token Authentication (JWT)” module 37 Using JWTs to Authenticate REST in Drupal https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints
JWT Debugger 38 Using JWTs to Authenticate REST in Drupal ● Allows you to see the content of a JWT - including the claims in the payload. ● You can verify the validity of the token with a secret. ● Chrome extension!
Comparing JWTs with other methods4
Cookie-based Authentication 40 Comparing JWTs with other methods
JWT advantages 41 Comparing JWTs with other methods ● Stateless ● Scalability ● Digitally-signed ● Performance ● CORS/CSRF ● Mobile-ready ● Decoupled/Decentralized
JWT drawbacks 42 Comparing JWTs with other methods ● Size of token ● Tokens Revocation ● Single-Page Applications
@Mediacurrent Mediacurrent.com Thank you! slideshare.net/mediacurrent https://jwt.io/ https://www.drupal.org/project/jwt https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints

More Related Content

What's hot (20)

PDF
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
PDF
Jwt Security
Seid Yassin
 
PPTX
An Introduction To REST API
Aniruddh Bhilvare
 
PDF
JSON Web Tokens
Ivan Rosolen
 
PPTX
Spring Security 5
Jesus Perez Franco
 
PDF
Building layers of defense for your application
VMware Tanzu
 
PPTX
Web API authentication and authorization
Chalermpon Areepong
 
PDF
JSON WEB TOKEN
Knoldus Inc.
 
PDF
Spring security oauth2
axykim00
 
PPTX
API Security Fundamentals
José Haro Peralta
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PPTX
Token Authentication in ASP.NET Core
Stormpath
 
PPTX
OpenID Connect: An Overview
Pat Patterson
 
PDF
API Security Best Practices & Guidelines
Prabath Siriwardena
 
PDF
Spring Security
Knoldus Inc.
 
PDF
Spring Security
Sumit Gole
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
PPTX
RESTful API - Best Practices
Tricode (part of Dept)
 
PPTX
Introducing Swagger
Tony Tam
 
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Jwt Security
Seid Yassin
 
An Introduction To REST API
Aniruddh Bhilvare
 
JSON Web Tokens
Ivan Rosolen
 
Spring Security 5
Jesus Perez Franco
 
Building layers of defense for your application
VMware Tanzu
 
Web API authentication and authorization
Chalermpon Areepong
 
JSON WEB TOKEN
Knoldus Inc.
 
Spring security oauth2
axykim00
 
API Security Fundamentals
José Haro Peralta
 
OAuth2 and Spring Security
Orest Ivasiv
 
Token Authentication in ASP.NET Core
Stormpath
 
OpenID Connect: An Overview
Pat Patterson
 
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Spring Security
Knoldus Inc.
 
Spring Security
Sumit Gole
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
RESTful API - Best Practices
Tricode (part of Dept)
 
Introducing Swagger
Tony Tam
 

Similar to Using JSON Web Tokens for REST Authentication (20)

PDF
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
WSO2
 
PDF
Jwt the complete guide to json web tokens
remayssat
 
PPTX
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PPTX
Microservices Security Patterns & Protocols with Spring & PCF
VMware Tanzu
 
PDF
Microservices Security Landscape
Prabath Siriwardena
 
PPTX
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
nagarajapallafl
 
PPTX
API
Masters Academy
 
PDF
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
PDF
Landscape
Amit Gupta
 
PDF
Landscape
Amit Gupta
 
PDF
JWT: jku x5u
snyff
 
PDF
OAuth and why you should use it
Sergey Podgornyy
 
PPTX
JWT_Presentation to show how jwt is better then session based authorization
nathakash343
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PPTX
Json web tokens
ElieHannouch
 
PDF
Javascript Object Signing & Encryption
Aaron Zauner
 
PDF
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
PDF
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
PDF
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
Apigee | Google Cloud
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
WSO2
 
Jwt the complete guide to json web tokens
remayssat
 
JWTs and JOSE in a flash
Evan J Johnson (Not a CISSP)
 
2016 pycontw web api authentication
Micron Technology
 
Microservices Security Patterns & Protocols with Spring & PCF
VMware Tanzu
 
Microservices Security Landscape
Prabath Siriwardena
 
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
nagarajapallafl
 
API
Masters Academy
 
5 easy steps to understanding json web tokens (jwt)
Amit Gupta
 
Landscape
Amit Gupta
 
Landscape
Amit Gupta
 
JWT: jku x5u
snyff
 
OAuth and why you should use it
Sergey Podgornyy
 
JWT_Presentation to show how jwt is better then session based authorization
nathakash343
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Json web tokens
ElieHannouch
 
Javascript Object Signing & Encryption
Aaron Zauner
 
Blockcerts: The Open Standard for Blockchain Credentials
SSIMeetup
 
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
Apigee | Google Cloud
 
Ad

More from Mediacurrent (20)

PDF
Penn State News: Pivoting to Decoupled Drupal with Gatsby
Mediacurrent
 
PDF
Evolving How We Measure Digital Success in Higher Ed
Mediacurrent
 
PDF
Penn State scales static Drupal to new heights
Mediacurrent
 
PDF
Delivering Meaningful Digital Experiences in Higher Ed
Mediacurrent
 
PDF
Content Strategy: Building Connections with Your Audience
Mediacurrent
 
PDF
Decoupled Drupal and Gatsby in the Real World
Mediacurrent
 
PDF
A Better Way to Build and Manage Sites with Rain for Drupal 9
Mediacurrent
 
PPTX
Drupal Security: What You Need to Know
Mediacurrent
 
PDF
Leveraging Design Systems to Streamline Web Projects
Mediacurrent
 
PPTX
Reimagining Your Higher Ed Web Strategy
Mediacurrent
 
PPTX
How to Digitally Transform Higher Ed with Drupal
Mediacurrent
 
PPTX
Is my website accessible? Common mistakes (and how to fix them)
Mediacurrent
 
PDF
Managing Images In Large Scale Drupal 8 & 9 Websites
Mediacurrent
 
PDF
Paragraphs v Layout Builder - The Final Showdown
Mediacurrent
 
PDF
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
Mediacurrent
 
PDF
Creating an Organizational Culture of Giving Back to Drupal
Mediacurrent
 
PPTX
Level Up Your Team: Front-End Development Best Practices
Mediacurrent
 
PPTX
Best Practices for Moving to Drupal 9
Mediacurrent
 
PPTX
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
Mediacurrent
 
PDF
Prepare Your Drupal 9 Action Plan
Mediacurrent
 
Penn State News: Pivoting to Decoupled Drupal with Gatsby
Mediacurrent
 
Evolving How We Measure Digital Success in Higher Ed
Mediacurrent
 
Penn State scales static Drupal to new heights
Mediacurrent
 
Delivering Meaningful Digital Experiences in Higher Ed
Mediacurrent
 
Content Strategy: Building Connections with Your Audience
Mediacurrent
 
Decoupled Drupal and Gatsby in the Real World
Mediacurrent
 
A Better Way to Build and Manage Sites with Rain for Drupal 9
Mediacurrent
 
Drupal Security: What You Need to Know
Mediacurrent
 
Leveraging Design Systems to Streamline Web Projects
Mediacurrent
 
Reimagining Your Higher Ed Web Strategy
Mediacurrent
 
How to Digitally Transform Higher Ed with Drupal
Mediacurrent
 
Is my website accessible? Common mistakes (and how to fix them)
Mediacurrent
 
Managing Images In Large Scale Drupal 8 & 9 Websites
Mediacurrent
 
Paragraphs v Layout Builder - The Final Showdown
Mediacurrent
 
MagMutual.com: On the JAMStack with Gatsby and Drupal 8
Mediacurrent
 
Creating an Organizational Culture of Giving Back to Drupal
Mediacurrent
 
Level Up Your Team: Front-End Development Best Practices
Mediacurrent
 
Best Practices for Moving to Drupal 9
Mediacurrent
 
How to Prove Marketing ROI: Overcoming Digital Marketing Challenges
Mediacurrent
 
Prepare Your Drupal 9 Action Plan
Mediacurrent
 
Ad

Recently uploaded (20)

PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
PPTX
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
PPTX
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
PDF
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
What’s my job again? Slides from Mark Simos talk at 2025 Tampa BSides
Mark Simos
 
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
How do you fast track Agentic automation use cases discovery?
DianaGray10
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 

Using JSON Web Tokens for REST Authentication

  • 1. By: Edward Chan Using JSON Web Tokens for REST Authentication
  • 2. Introduction Edward Chan @edwardchiapet linkedin.com/in/edwardchan1350 drupal.org/u/edwardchiapet Edward is an NYC-based Drupal Developer at Mediacurrent. He started working with Drupal in 2012 and has experience building Drupal sites in D6/7/8. He just recently became interested in decoupled architecture and has experience building and using Drupal as a backend service. He maintains the Quill and Autocomplete Deluxe modules. Drupal Developer 2 github.com/edwardchan
  • 3. About 3 Mediacurrent helps organizations build highly impactful, elegantly designed Drupal websites that achieve the strategic results they need. ● Single-source provider ● Specializing in Drupal since 2007 ● Headquartered in Atlanta, GA ● Team of 70+ Drupal Experts including development, design and strategy ● Clients include: Large Enterprise and high-profile global brands
  • 4. Style Guide Agenda Introduction to JSON Web Tokens (JWT) Authenticating REST in Drupal Comparing JWTs with other methods4 3 2 1 4 How It Works
  • 5. JSON Web Tokens in Decoupled Architecture 5 ● Separation of concerns ● True statelessness ● Flexibility Introduction to JSON Web Tokens (JWT)
  • 6. Introduction to JSON Web Tokens (JWT)1
  • 7. What is JSON Web Token (JWT)? 7 “JSON Web Tokens are an open, industry standard RFC 7519 method that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA...” - https://jwt.io/introduction Introduction to JSON Web Tokens (JWT)
  • 8. What is JSON Web Token (JWT)? 8 ● Simply a string in the format of header.payload.signature ● A means of representing claims to be transferred between two parties. ● Intended for space-constrained environments such as HTTP Authorization headers and URI query parameters. ● Digitally-signed - information is verified and trusted. Introduction to JSON Web Tokens (JWT)
  • 9. What is JSON Web Token (JWT)? 9 ● A JWT is a type of either JSON Web Signature (JWS) or JSON Web Encryption (JWE). ● The “claims” in a JWT are encoded as a JSON object that it is digitally-signed using JWS and/or encrypted using JWE. ● JWS is used in most cases. ● The suggested/formal pronunciation of JWT is “jot”. Introduction to JSON Web Tokens (JWT)
  • 10. JSON Web Token Structure 10 Introduction to JSON Web Tokens (JWT)
  • 11. JSON Web Token Structure 11 Introduction to JSON Web Tokens (JWT) Header . Payload . Signature
  • 12. JSON Web Token Structure - Header 12 Introduction to JSON Web Tokens (JWT) ● Contains information about how the JWT should be computed. ● Typically contains: ○ “typ” - type of the token (“JWT”) ○ “alg” - signing hashing algorithm being used to sign or encrypt the JWT - such as HMAC SHA256 or RSA ● Example:
  • 13. JSON Web Token Structure - Payload 13 Introduction to JSON Web Tokens (JWT) ● Contains the “claims set”, which is information we want to transmit and other information about the token. ● Types of claims: ○ Reserved - predefined claims that are recommended. ○ Public - claims that we create ourselves ○ Private - custom claims that are usually more specific to the application you’re connecting to ● A list of predefined claims can be found in the IANA JSON Web Token Registry (https://www.iana.org/assignments/jwt/jwt.xhtml).
  • 14. JSON Web Token Structure - Payload 14 Introduction to JSON Web Tokens (JWT) exp Expiration time iss Token issuer iat Time the JWT was issued nbf Not before Some reserved claim names:
  • 15. JSON Web Token Structure - Signature 15 Introduction to JSON Web Tokens (JWT) ● Used to verify that the sender of the JWT is legitimate and to ensure that the message was not changed or altered along the way. ● Value is generated by hashing the following using the signing algorithm specified in the “header”: ○ base64UrlEncode(header) + “.” + base64UrlEncode(payload) ○ a “secret” (held by the server and will be used to verify existing tokens and sign new ones)
  • 16. JSON Web Token Structure - Signature 16 Introduction to JSON Web Tokens (JWT) Example of generating the signature using HMAC SHA256: var encodedHeader = base64UrlEncode(header); var encodedPayload = base64UrlEncode(payload); var signature = base64UrlEncode(HMACSHA256(encodedHeader + “.” + encodedPayload, secret));
  • 17. JSON Web Signature (JWS) Compact Serialization 17 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott (encoded header) (encoded payload)
  • 18. JSON Web Signature (JWS) Compact Serialization 18 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott (encoded header) (encoded payload)
  • 19. JSON Web Signature (JWS) Compact Serialization 19 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott
  • 20. JSON Web Signature (JWS) Compact Serialization 20 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott
  • 24. 24 Authentication Process How It Works Bouncer with a guest list (server and a database)
  • 25. 25 Authentication Process How It Works Yourself and your ID (username and password)
  • 26. 26 Authentication Process How It Works Identity verified! (login credentials valid)
  • 27. 27 Authentication Process How It Works Wristband (JWT)
  • 29. 29 Authentication Process How It Works Bar (Resource server)
  • 30. 30 Authentication Process How It Works Consume API Resources
  • 31. 31 Authentication Process How It Works JWT expires (“exp”)
  • 32. 32 Authentication Process Image source: https://jwt.io/introduction/ How It Works
  • 33. 33 Authentication Process How It Works Image source: https://jwt.io/introduction/
  • 34. How does JWT protect our data? 34 Introduction to JSON Web Tokens (JWT) ● Used to verify the authenticity of the source that sent the data. ● Short expiry times. ● Retrieving a new JWT requires a valid refresh token. ● A signed JWT does not hide or obscure data in any way
  • 35. Using JWTs to Authenticate REST in Drupal3
  • 36. “JSON Web Token Authentication (JWT)” module 36 Using JWTs to Authenticate REST in Drupal ● https://www.drupal.org/project/jwt ● Depends on the “Key” module to manage secret keys. ● “JWT Authentication Issuer” - provides an endpoint to issue JWTs. ● “JWT Authentication Consumer” - authenticates JWTs generated by “JWT Authentication Issuer”. ● Provides 3 events for event subscribers: ○ VALIDATE Allows for custom validations for a JWT. ○ VALID Fires after a token has been validated. Subscribers can create new users based on the payload, if necessary. ○ GENERATE Fires before a new JWT is encoded. Subscribers can add claims to the JWT before it is given to the client.
  • 37. “JSON Web Token Authentication (JWT)” module 37 Using JWTs to Authenticate REST in Drupal https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints
  • 38. JWT Debugger 38 Using JWTs to Authenticate REST in Drupal ● Allows you to see the content of a JWT - including the claims in the payload. ● You can verify the validity of the token with a secret. ● Chrome extension!
  • 39. Comparing JWTs with other methods4
  • 41. JWT advantages 41 Comparing JWTs with other methods ● Stateless ● Scalability ● Digitally-signed ● Performance ● CORS/CSRF ● Mobile-ready ● Decoupled/Decentralized
  • 42. JWT drawbacks 42 Comparing JWTs with other methods ● Size of token ● Tokens Revocation ● Single-Page Applications