This session will provide an introduction to JSON Web Tokens (JWT) (https://jwt.io/introduction/), advantages over other authentication methods, and how to use it to authenticate requests to Drupal REST resources. After this session, attendees will have a better understanding of how JWTs work and will be able to set up and use JWT for authenticating REST requests in Drupal.

1. By: Edward Chan
Using JSON Web Tokens
for REST Authentication

2. Introduction
Edward Chan
@edwardchiapet
linkedin.com/in/edwardchan1350
drupal.org/u/edwardchiapet
Edward is an NYC-based Drupal Developer at Mediacurrent. He
started working with Drupal in 2012 and has experience building
Drupal sites in D6/7/8. He just recently became interested in
decoupled architecture and has experience building and using Drupal
as a backend service. He maintains the Quill and Autocomplete Deluxe
modules.
Drupal Developer
2
github.com/edwardchan

3. About
3
Mediacurrent helps organizations build highly
impactful, elegantly designed Drupal websites that
achieve the strategic results they need.
● Single-source provider
● Specializing in Drupal since 2007
● Headquartered in Atlanta, GA
● Team of 70+ Drupal Experts including
development, design and strategy
● Clients include: Large Enterprise and
high-profile global brands

4. Style Guide
Agenda
Introduction to JSON Web Tokens (JWT)
Authenticating REST in Drupal
Comparing JWTs with other methods4
3
2
1
4
How It Works

5. JSON Web Tokens in Decoupled Architecture
5
● Separation of concerns
● True statelessness
● Flexibility
Introduction to JSON Web Tokens (JWT)

6. Introduction to JSON Web Tokens (JWT)1

7. What is JSON Web Token (JWT)?
7
“JSON Web Tokens are an open, industry standard RFC 7519 method that defines a
compact and self-contained way for securely transmitting information between parties
as a JSON object. This information can be verified and trusted because it is digitally
signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private
key pair using RSA...”
- https://jwt.io/introduction
Introduction to JSON Web Tokens (JWT)

8. What is JSON Web Token (JWT)?
8
● Simply a string in the format of header.payload.signature
● A means of representing claims to be transferred between two parties.
● Intended for space-constrained environments such as HTTP Authorization
headers and URI query parameters.
● Digitally-signed - information is verified and trusted.
Introduction to JSON Web Tokens (JWT)

9. What is JSON Web Token (JWT)?
9
● A JWT is a type of either JSON Web Signature (JWS) or JSON Web Encryption
(JWE).
● The “claims” in a JWT are encoded as a JSON object that it is digitally-signed using
JWS and/or encrypted using JWE.
● JWS is used in most cases.
● The suggested/formal pronunciation of JWT is “jot”.
Introduction to JSON Web Tokens (JWT)

10. JSON Web Token Structure
10
Introduction to JSON Web Tokens (JWT)

11. JSON Web Token Structure
11
Introduction to JSON Web Tokens (JWT)
Header .
Payload .
Signature

12. JSON Web Token Structure - Header
12
Introduction to JSON Web Tokens (JWT)
● Contains information about how the JWT should be computed.
● Typically contains:
○ “typ” - type of the token (“JWT”)
○ “alg” - signing hashing algorithm being used to sign or encrypt the JWT - such as HMAC SHA256 or RSA
● Example:

13. JSON Web Token Structure - Payload
13
Introduction to JSON Web Tokens (JWT)
● Contains the “claims set”, which is information we want to transmit and other information about the token.
● Types of claims:
○ Reserved - predefined claims that are recommended.
○ Public - claims that we create ourselves
○ Private - custom claims that are usually more specific to the application you’re connecting to
● A list of predefined claims can be found in the IANA JSON Web Token Registry
(https://www.iana.org/assignments/jwt/jwt.xhtml).

14. JSON Web Token Structure - Payload
14
Introduction to JSON Web Tokens (JWT)
exp Expiration time
iss Token issuer
iat Time the JWT was issued
nbf Not before
Some reserved claim names:

15. JSON Web Token Structure - Signature
15
Introduction to JSON Web Tokens (JWT)
● Used to verify that the sender of the JWT is legitimate and to ensure that the
message was not changed or altered along the way.
● Value is generated by hashing the following using the signing algorithm specified in
the “header”:
○ base64UrlEncode(header) + “.” + base64UrlEncode(payload)
○ a “secret” (held by the server and will be used to verify existing tokens and
sign new ones)

16. JSON Web Token Structure - Signature
16
Introduction to JSON Web Tokens (JWT)
Example of generating the signature using HMAC SHA256:
var encodedHeader = base64UrlEncode(header);
var encodedPayload = base64UrlEncode(payload);
var signature = base64UrlEncode(HMACSHA256(encodedHeader + “.”
+ encodedPayload, secret));

17. JSON Web Signature (JWS) Compact Serialization
17
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott
(encoded header)
(encoded payload)

18. JSON Web Signature (JWS) Compact Serialization
18
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott
(encoded header)
(encoded payload)

19. JSON Web Signature (JWS) Compact Serialization
19
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott

20. JSON Web Signature (JWS) Compact Serialization
20
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott

21. How It Works2

22. 22
Authentication Process
How It Works

23. 23
Authentication Process
How It Works

24. 24
Authentication Process
How It Works
Bouncer with a guest list
(server and a database)

25. 25
Authentication Process
How It Works
Yourself and your ID
(username and password)

26. 26
Authentication Process
How It Works
Identity verified!
(login credentials valid)

27. 27
Authentication Process
How It Works
Wristband
(JWT)

28. 28
Authentication Process
How It Works

29. 29
Authentication Process
How It Works
Bar
(Resource server)

30. 30
Authentication Process
How It Works
Consume API
Resources

31. 31
Authentication Process
How It Works
JWT expires (“exp”)

32. 32
Authentication Process
Image source: https://jwt.io/introduction/
How It Works

33. 33
Authentication Process
How It Works
Image source: https://jwt.io/introduction/

34. How does JWT protect our data?
34
Introduction to JSON Web Tokens (JWT)
● Used to verify the authenticity of the source that sent the data.
● Short expiry times.
● Retrieving a new JWT requires a valid refresh token.
● A signed JWT does not hide or obscure data in any way

35. Using JWTs to Authenticate REST in Drupal3

36. “JSON Web Token Authentication (JWT)” module
36
Using JWTs to Authenticate REST in Drupal
● https://www.drupal.org/project/jwt
● Depends on the “Key” module to manage secret keys.
● “JWT Authentication Issuer” - provides an endpoint to issue JWTs.
● “JWT Authentication Consumer” - authenticates JWTs generated by “JWT Authentication Issuer”.
● Provides 3 events for event subscribers:
○ VALIDATE
Allows for custom validations for a JWT.
○ VALID
Fires after a token has been validated. Subscribers can create new users based on the payload, if necessary.
○ GENERATE
Fires before a new JWT is encoded. Subscribers can add claims to the JWT before it is given to the client.

37. “JSON Web Token Authentication (JWT)” module
37
Using JWTs to Authenticate REST in Drupal
https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints

38. JWT Debugger
38
Using JWTs to Authenticate REST in Drupal
● Allows you to see the content of a JWT -
including the claims in the payload.
● You can verify the validity of the token with a
secret.
● Chrome extension!

39. Comparing JWTs with other methods4

40. Cookie-based Authentication
40
Comparing JWTs with other methods

41. JWT advantages
41
Comparing JWTs with other methods
● Stateless
● Scalability
● Digitally-signed
● Performance
● CORS/CSRF
● Mobile-ready
● Decoupled/Decentralized

42. JWT drawbacks
42
Comparing JWTs with other methods
● Size of token
● Tokens Revocation
● Single-Page Applications

43. @Mediacurrent Mediacurrent.com
Thank you!
slideshare.net/mediacurrent
https://jwt.io/
https://www.drupal.org/project/jwt
https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints