Dev Thoughts

Musings from my development journey.


JSON Web Tokens - Lance Ivy


Lance discussed the concept of JWT (JSON Web Tokens), starting with the example of how to share authentication between multiple applications (a mobile and a Rails web application).

What is Logging in?

  1. User logs in from browser.
  2. Browser is sent back a cookie from the server. Follows the request/response lifecycle.
  3. Cookies are headers in HTTP request/responses.

What are cookies?

Analogy: session cookies are not like chocolate chip cookies, they're like fortune cookies, that contain content inside of the cookie.


JSON Web Tokens

JWT's contain structured data for sessions. They're designed to fit in small spaces.

Definition from JWT site

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Let's explain some concepts of this definition further.

Compact: Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, the smaller size means transmission is fast.

Self-contained: The payload contains all the required information about the user, avoiding the need to query the database more than once.

JWTs can be thought of as an ID card, it has:

  • Issuer
  • Security
  • Data

However, it needs to be checked to ensure that it's valid. You need to check:

  1. Is it from a recognized authority?
  2. Is it intended for me?
  3. Has it expired?
  4. Is it a forgery?
  5. When was it generated?

Practical JWT

JWTs can help streamline authentication between multiple applications. When using JWTs you don't need to build multiple authentication systems for multiple apps.


JWTs allow you to implement RSA signatures, which allows you to:

  1. Publish public keys via JSON web keys
  2. Fetch, cache, and verify

This means that you don't have to share secret keys between applications, which reduces the attack surface of hackers. Each application can manage it's own secret.

JWTs also allow you to build out a unified process for password resets between multiple applications by leveraging a scope and lock.

Utilizing JWTs allows you to separate components of authentication from the application's User model. This is accomplished by adding an account component.

He's working on a service that allows for 3rd party based auth: