Musings from my development journey.Topics
Lance discussed the concept of JWT (JSON Web Tokens), starting with the example of how to share authentication between multiple applications (a mobile and a Rails web application).
Analogy: session cookies are not like chocolate chip cookies, they're like fortune cookies, that contain content inside of the cookie.
JWT's contain structured data for sessions. They're designed to fit in small spaces.
Definition from JWT site
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
Let's explain some concepts of this definition further.
Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.
Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.
JWTs can be thought of as an ID card, it has:
However, it needs to be checked to ensure that it's valid. You need to check:
JWTs can help streamline authentication between multiple applications. When using JWTs you don't need to build multiple authentication systems for multiple apps.
JWTs allow you to implement RSA signatures, which allows you to:
This means that you don't have to share secret keys between applications, which reduces the attack surface of hackers. Each application can manage it's own secret.
JWTs also allow you to build out a unified process for password resets between multiple applications by leveraging a
Utilizing JWTs allows you to separate components of authentication from the application's
User model. This is accomplished by adding an account component.
He's working on a service that allows for 3rd party based auth: https://keratin.tech/