With the advent of Single Page Applications (SPA) and mobile applications, APIs have come to the forefront of web development. As we develop APIs to support our SPA and mobile apps, securing the APIs has been a major pain area. Token based authentication is one of the most-favored authentication mechanisms, but tokens are prone to various attacks. To mitigate that, one has to implement ways to fix the issues, which often leads to one-off solutions that make tokens non-exchangeable between diverse systems. JSON Web Token (JWT) were created to implement standards based token handling and verification that can be exchanged between diverse systems without any issue.
What is JWT?
JWTs carry information (called "claims") via JSON, hence the name JSON Web Tokens. JWT is a standard and has been implemented in almost all popular programming languages. Hence, they can be easily used or exchanged in systems implemented in diverse platforms.
JWTs are comprised of plain strings, so they can be easily exchanged in a URL or a HTTP header. They are also self-contained and carry information such as payload and signatures.
Anatomy of a JWT
A JWT (pronounced 'JOT') consists of three strings separated by '.':
aaaaa.bbbbbbb.ccccccc
The first part is the header, second part is the payload, and third part is the signature.
The header consists of two parts:
- The type of token, i.e. 'JWT'
- The hashing algorithm used
Continue reading %An Introduction to Using JWT Authentication in Rails%
by Devdatta Kane via SitePoint
No comments:
Post a Comment