Download to read offline
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
jwt.pptx
- 1. INTRODUCTION TO JSON WEBTOKEN (JWT)
- 2. JSON WEB TOKEN(JWT) • JWT IS AN OPEN STANDARD FOR SECURELY TRANSFERRING DATA WITHIN PARTIES USING A JSON OBJECT. • JWT IS USED FOR STATELESS AUTHENTICATION MECHANISMS FOR USERS AND PROVIDERS, THIS MEANS MAINTAINING SESSION IS ON THE CLIENT-SIDE INSTEAD OF STORING SESSIONS ON THE SERVER.
- 3. JSON WEB TOKEN(JWT) • SESSION-BASED AUTHENTICATION & TOKEN-BASED AUTHENTICATION • HOW JWT WORKS • HOW TO CREATE A JWT • HEADER • PAYLOAD • SIGNATURE • WORKSHOP
- 4.
- 5. TOKEN-BASED AUTHENTICATION • THEUSER LOGIN STATE IS ENCODED INTO A JSON WEB TOKEN (JWT) BY THE SERVER AND SEND TO THE CLIENT. • NOWADAYS MANY RESTFUL APIS USE IT
- 6.
- 7. HOW TO CREATEA JWT FIRST, YOU SHOULD KNOW THREE IMPORTANT PARTS OF A JWT: • HEADER • PAYLOAD • SIGNATURE
- 8. HEADER THE HEADER ANSWERSTHE QUESTION: HOW WILL WE CALCULATE JWT? NOW LOOK AT AN EXAMPLE OF HEADER, IT’S A JSON OBJECT LIKE THIS: • TYP IS ‘TYPE’, INDICATES THAT TOKEN TYPE HERE IS JWT. • ALG STANDS FOR ‘ALGORITHM’ WHICH IS A HASH ALGORITHM FOR GENERATING TOKEN SIGNATURE. IN THE CODE ABOVE, HS256 IS HMAC-SHA256 – THE ALGORITHM WHICH USES SECRET KEY.
- 9. PAYLOAD • IN THEJSON OBJECT ABOVE, WE STORE 3 USER FIELDS: USERID, USERNAME, EMAIL. YOU CAN SAVE ANY FIELD YOU WANT. • WE ALSO HAVE SOME STANDARTDFIELDS. THEY ARE OPTIONAL. • ISS (ISSUER): WHO ISSUES THE JWT • IAT (ISSUED AT): TIME THE JWT WAS ISSUED AT • EXP (EXPIRATION TIME): JWT EXPIRATION TIME
- 10. SIGNATURE • THIS PARTIS WHERE WE USE THE HASH ALGORITHM THAT I TOLD YOU ABOVE. LOOK AT THE CODE FOR GETTING THE SIGNATURE BELOW: • NEXT, WE MAKE A HASH OF THE DATA USING HASH ALGORITHM (DEFINED AT HEADER) WITH A SECRET STRING. – FINALLY, WE ENCODE THE HASHING RESULT TO GET SIGNATURE.
- 11.