JSON Web Tokens (JWTs) explained with examples | System Design

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Json left open or JWT is an open standard that defines a compact and secure way of transmitting information between two parties jwts are changing the way we think about data transmission and authentication in this video we are going to take a deep dive into jwts and see how they can be used to make our applications more secure and efficient we'll start by covering the basics of jwts including what they are how they work and why they are so useful we will also code to generate the JWT by the end of this video you'll have a solid understanding of jwts and how they can be used to improve your application so what are you waiting for let's get started to understand durability it is important to first understand session tokens session tokens are encrypted strings that are used to identify a session between two parties here is an example of how session tokens work imagine you are calling a customer service you tell the representative your problem and they take some notes at the end of the call they give you a case number the case number is a session token that identifies your conversation with the representative the next time you call customer service you can provide the same case number and this will allow your representative to quickly look up your conversation and continue helping you now let's think the same with clients and servers imagine you want to create an account on a website you fill out a registration form and click submit the website sends you a token that is stored in browser cookies this token allows you to access the website and its feature session tokens are a good way to keep track of your users and their sessions however they have one big drawback they can only be used on the server that issued them for example let's say you log into your bank's website the bank server will issue a token that allows you to access the website however if you try to access the bank's mobile app the app won't be able to verify your token because it was issued by a different server this is where Json web token come in the jwts are a type of token that can be used on multiple servers and this makes them ideal for applications that need to authenticate users across multiple systems imagine you are going to a concert when you buy your ticket you are given a wristband The Wristband is a way for the security guards to quickly identify you as a concert goer JWT tokens are like wristbands for the internet they are a way for servers to quickly identify users and their permissions and this makes it easier for users to access the resources they need and it makes it more secure for servers to protect their data they are a way for securely transmitting information between two parties such as authentication token or a user's profile information for example let's say you have a front-end application that communicates with an API you can use a JWT to authorize the user and check their role before allowing them to access the API this can help you to protect your API from unauthorized access to do this securely the server will issue the user a JWT that contains the username role and random token the user's browser will then store the token in local storage and when the user makes a request to an API they will include the token in the request header the API will then verify the token and check the user's role if the user is authorized to access the API the API will respond with the requested data otherwise the API will return an error this method of authorization is very efficient because it only requires the user to authenticate once the user can then access any API that they are authorized to access without having to re-authenticate each time jwts are also very useful in distributed systems and micro Services architecture in this type of architecture there are many different services that need to communicate with each other and jwts can be used to securely authenticate users and services and to perform role checks this can help to ensure that only authorized user and services can access each other the private public key signing method is a very secure way to sign databilities it uses a private key to sign the JWT and a public key to verify the JWT and this method is very secure because it is very difficult to force a JWT that is signed with a private key I have covered private public key in one of my previous videos where I explained almost everything you need to know about Security in context of system design interview please do check it out now using jwts with private public key signing method can save you a huge amount of request and improve the overall scalability of your application this is because the user only needs to authenticate once and the JWT can be used to access multiple services this can significantly reduce the load on your authentication server so if you have a special envelope called JWT inside this envelope there are three parts a written address a message and a vaccine the return address is like the header on the outside of the envelope it tells the recipient who sent the JWT and where it came from it is usually written in a format called Json which is just a way to organize information using curly braces and columns the header contains metadata information about the Json web token the algorithm here is used to sign the token and this is useful for the attempted reproduction of the signature which we'll talk about that later the type of the token in this case of a JWT will always have the JWT value you will sometimes find extra headers that were added by the sender or issuer but the above 2 will almost always be there the message is like the actual content or payload of the JWT the payload contains the claims which are statements about the subject of the JWT such as users identity their permissions or the time at which the JWT was issued and there are two types of JWT claims registered claims are the claims that are defined by the JWT specification and some of the examples of registered claims include issuer of the durability the subject of the durability the audience of the JWT the expiration time and the issue time of digitality custom claims are the claims that are not defined by the jettability specification but can be used to store any type of information that you want to include in the JWT the claims in the JWT are encoded in Json and are separated by dots for example a durability with the following claims ISS here is the issuer is the entity that generated and issued the JWT this could be your company your website or any other entity that you want to identify yourself as SUV or subject is the entity that is identified by the JWT this could be a user a device or any other entity that you want to authenticate this is the subject of your token this is the entity that is identified by the token aod or audience is the target audience of the JWT this could be a specific group of users such as your beta testers or it could be a public audience the audience for the token is API slash my API and this is the entity that the token is intended for exp or expiry is the timestamp after which the GWT should not be accepted this helps to prevent the jailability from being used after it is expired IIT or issued ad is the date at which the JWT was issued and helps to track the age of the JWT and prevent it from being used before it was issued now you can use custom claims that you need to store data in your jwts such as roles you could store the user's role their permissions or any other data that you need to use to authenticate or authorize the user the payload of a Json web token is by default decoded by anyone in fact you can paste any jwte into JWT dot IO and immediately see the claims now the VAC seal is what makes the jwts secure it is like a special signature that only the sender knows how to create the vaccine is created using a secret code kind of like a password the vaccine ensures that nobody can tamper with the contents of JWT without the sender knowing about it the signature is Created from the encoded header encoded payload a secret which is a private key and a cryptographic algorithm and all these four components allow the creation of signature the following code shows how to generate the JWT and the signature the code first Imports the JWT library and this library is issued to generate and decode jwts we then Define two variables header and payload the header variables contains the header of the JWT which includes the algorithm used to sign the jettability and the type of the JWT the payload variables contains the payload of the JWT which includes the claims of the JWT we then use JWT dot encode function to encode the header and payload using the secret bite monk Secret and the hmac Sha 256 algorithm the JWT encode function returns two values the encoded header and the encoded payload the code then uses the hmac module to create to calculate the signature of the JWT the signature is calculated using hmaccia 256 algorithm and the secret byte monk secret we then use the encoded header the encoded payload and the signature to form the JWT the JWT is a string that is separated by perids and finally we print the JWT signature is probably the most important misunderstood part of the jwts and here is a sample signature the signature looks like gaborish but this is a unique and reproducible Json web tokens are decodable by anyone in fact feel free to copy the following token and paste it directly into jwd.io you can immediately see all the claims in this token this is why you should never store sensitive information in the token and by the way a user's role is not sensitive but a password is in a real world application it would be better to store the user's username and a role in the JWT and store the password in a secure database the server would then use the user's username and password to authenticate the user and issue them a JWT with a username role and a random token the user would then store the token in the browser and use it to authenticate with the API now you might be wondering how can we prevent people from tampering with a token and the answer is the signature the vaccine in our envelope is like the signature on a JWT it proves that the package has not been tampered with since you sent it it proves that the JWT has not been tampered with since it was issued so if somebody tampered with the claims and set their role from user to admin the JWT verification will fail as the signature does not match anymore because the signature is generated using the original payload defined by the issuer and this makes jwts a secure way to transfer information between two parties remember the purpose of JWT is not to hide data but to ensure the authenticity of the data JWT is signed and encoded and not encrypted jwts are versatile tool that can be used for a variety of purposes they are a secure and efficient way to transmit information between two parties [Music] thank you

Info

Channel: ByteMonk

Views: 12,371

Rating: undefined out of 5

Keywords: system design, interview question, faang, pipeline, technology, system design tutorial, system design interview questions, system design interview, instagram, instagram system design

Id: iB__rLXGsas

Channel Id: undefined

Length: 11min 23sec (683 seconds)

Published: Fri Aug 25 2023