Download to read offline
Uploaded byFrank Linehan
Jwt
JWTs are an open standard for securely transmitting claims between parties as a JSON object. The claims are encoded in a JWT payload that is digitally signed or integrity protected with a MAC and/or encrypted. JWTs avoid issues with cookies and cross-origin resource sharing by being stateless and transmitting claims in tokens rather than sessions. JWTs handle authentication across devices and services without managing sessions on the server. A JWT contains a base64-encoded header, base64-encoded claims, and base64-encoded signature to securely transmit claims between a browser and server.
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
Jwt
- 1.
- 2. JWT? JSON Web Tokensare an open, industry standard RFC 7519 method for representing claims securely between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
- 3.
- 4.
- 5.
- 6. Why JWT? Cookies don’twork well with CORS Cookies require stateful servers APIS should be stateless JWT much more scalable CDN serve all the assets of your app, server side is just the API.
- 7. A Better Approach JWTdoesn’t use sessions, has no problems with mobile, it doesn’t need CSRF and it works very well with CORS too. If you don’t have a valid token you can't do anything. JWT handle auth across devices and services without managing sessions on the server.
- 8.
- 9. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpv aG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ What is aJWT? <base64-encoded header>. <base64-encoded claims>. <base64-encoded signature>
- 10. FYI You should notsend any secret information using JWT, rather send information that is not secret but needs to be verified. For instance, sending a signed user id to indicate the user that should be logged in would work great! Sending a user's password would be super bad. Payload is not encrypted!
- 11.
- 12.