JWT token vs Server Tokens

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right hey there everyone hes here and this is a really cool video to actually have a discussion about JWT and server tokens so these are really interesting one in case you are not aware of them that's a fantastic video to get started this one and I'll discuss about what are the strategies what are the pros and cons of both of them and what actually these things are so let's get started without wasting any more time so there are two techs which are used quite a lot Tech would not be a correct word to use in this case these are moreover a strategy that you can use the one is JWT tokens and another one is server token JWT are actually a little bit different as a strategy to apply they actually also produce you a token with their own mechanism uh in which a payload is there in which you can actually insert the information and use that but JWT tokens are beerer tokens you might have seen that wherever you use JWT tokens you use a beerer keyword uh in front of them the whole idea behind the beerer token is whoever beers that token whoever holds holds that token is a valid user and I would allow them to authenticate in my application now in case somebody steals that token then he's the beerer and he is totally allowed now this small sentence actually gives a lot of anxiety to a lot of people that is it even a secure mechanism now in my actual run through of the building a lot of application JWT is pretty good and solid resource to authenticate a user there is nothing to be worried about in case you are a little bit worried you can additionally use a concept of refresh token uh but I'll talk about separately in another video about a refresh token because it's not a mechanism to secure the token but rather a mechanism so that user doesn't have to log in again and again so we'll talk about them later on so again both of these techniques are just to make sure that we give something to the user so that we can authenticate them uh later on and keep on authenticating them without uh having to allow them to set the password in every single refresh page so that's what it is now a lot of time people have a discussion on this and by the way in case you are worried uh don't be I do have my notes here we'll talk about uh the refresh tokens and JWT tokens in just a minute first of all this is entirely related to the backend so all those people who don't actually are able to understand this just remember this is a backend technique when you will learn authentication in the backend side this is something that you'll be using so JWT is a mechanism which is quite popular and is being used but still some of the people prefer to have uh the web server tokens I'll talk about them as well how they are useful and how when they are actually being designed in a minute but first let me walk you through to all those people who probably don't like to watch that much of video and still want to explore uh the things so let me first go back here and uh what you can do is you can go to free API and if you want to understand the mechanism of how the refresh token and all these things Works uh just click up here uh this is an open source project and you will notice here that inside this project inside the source if you'll check out the models we are actually holding these refresh tokens in our servers later on how the mechanism of refresh token works you can actually just study them directly by going into the controllers and obviously this is something that we used in the apps for login so there is a Au app you can just click on this and in the user controller everything is mentioned here so you can just read the study the code and probably we'll be able to understand all these things much more faster that how the refresh token mechanism works when we are updating them when we are making a query about them so that's the basics of it in case you want to go into the code part of it I'll obviously create will be creating more videos on that but that probably will be on another day now let's come back on to this part so uh this is something that we are going to discuss about the tokens and all these mechanism that goes through so first of all uh let's talk about this is uh the part where we actually go with the JWT tokens and this is the part where we go with the server tokens now JWT tokens are actually more over the client tokens so they are given to the client once you generate them in the back end uh there are packages for gener Genera rating the JWT tokens uh it is actually being built up of three major parts the more important one is the payload part in which you can add some information it could be just an ID of the user so that later on you can make a backend request and find more information or maybe there could be a username a profile picture URL whatever you want to inject that's a payload you can inject that and that is being sent to the client so that whenever we need to verify that are you a valid user or what's your username or anything that's there in the payload we can actually get that that is given to the client and client it's up to the client how it stores them there are obviously great ways bad ways so there some people store them in the cookies secure server cookies some people store them into the local storage maybe there's a different case for each one of them let's not judge them directly and there are also server tokens they are also kind of a similar in look as we see that the JWT tokens but they are just a random string generated by I don't know what resource maybe crypto or however you are generating them once you generate them you actually store them on your server as well like in database as well as you send them to the client as well so the only difference is that we store some things in the server and sometimes we store don't store anything we just send it to the client so that's the whole idea about the gwd token that it's a beerer token whoever holds that token is an authorized user and yes there is an expiration time that you can set up if you're worried about it that I don't want to set too long of an expiration time or I'm worried about it that's where the refresh token concept comes in in the server tokens uh we just store them since on the server and is being given on to the frontend client as well we all the time make a query on the back end to verify that does this token match it's almost like a password but not really password so in case you want to understand more about them or uh have a conversation on that there should be some parameter on which we can actually have this conversation the first one is the state so the JWT are considered as stateless while the server tokens are considered as stateful the whole idea is just the same stateless means whoever holds them is the owner of it yes there could be more discussion can happen that but in general just keep in mind that jwd tokens are stateless token and the server tokens are moreover a state full token uh revoke access can I revoke them uh sadly there is no mechanism of revoking the JWT once it's given that's it it's given until unless there is also a mechanism of or a strategy that you can have a list of Blacklist token and once you add any token Into The Blacklist that's it he cannot just login but again most of the time you'll just say hey there is no way to revoke the JWT tokens for the server tokens since everything is being stored in the server that's it you can just revoke all the tokens and just log out forcefully every single user the scalability is an issue uh which you should really consider because the scalability is high and in this one uh whenever you actually store tokens on server you always have to perform at database lookup so the more database lookup more database query that means scalability can be a question here and in case of JWT since you just generating them you're just saying them that hey this is all done and gone but remember when you generate the JWT tokens there is a compute time that you have to be worried about and that's why we most of the time use a weight keyword in front of JWT because it's a compute heavy thing and it takes couple of milliseconds so you need to use a weight in case you're using JavaScript there uh in case of uh the DB lookup just be worried if you're storing everything in the server just like you every time query uh images URL or maybe something else similarly you have to query for every single request every single page you have to make a DB query so the scalability is a big big challenge in that case the size now size of the something that you're storing the back end is relatively uh small because it's just a back end string but in this case it's up to the payload so in the payload maybe you're just injecting underscore ID that's it that's a very small one but in case you are using something more then hey this could be really really big one here as well so size is very very dependent on what you're injecting in the payload or what you are saving in the database now security uh this is a big question here that are JWT 100% secure over the years I've realized that there is nothing which can be called as 100% secure uh but JWT are fairly fairly secure there are not too much of incident where people are just actually stealing your tokens and most of the time they are being uh stored in the cookies which can only be manipulated by the back end only so in that case fairly secure uh but again it could be compromised uh similarly if you just look at the backend tokens as well if somebody can steal the token given to you he also can compromise your security Now You're matching it's almost like that hey I stole your password so whoever has the password is the owner so same concept actually is being worked so personal recommendation I can say JWT is a fair mechanism don't worry too much about it it works absolutely fine almost every application nowadays that you're seeing they are actually based on JWT so don't worry too much over panicking in the security can be really bad so don't do that uh performance is also an issue on which we can have a discussion uh since there is no database query uh the performance is relatively high but remember always whenever you sign or verify sign means you generate the JWT uh tokens the signed tokens or you verify them there is some uh compute resource that you have to consume it's not really that heavy but it actually is a resource and the latency when we talk about the server tokens which you are storing there uh latency is one of the issue because as I always say database is always in another continent so in that case you for every single request you are actually firing them up uh the reason why I covered this up because uh this is a good and interesting topic and if you have worked anytime in the PHP this is how it used to be done and now in the especially JavaScript Arena uh we prefer more of the JWT things so sometimes maybe there is an interview question or may maybe there is a general engineering side of it you are confused about it or you're more curious about it so this video has given you enough of information and points on which you can make a search as well as enhance your knowledge about the JWT tokens as well as server tokens as well so that's it I thought that's a good engineering side of video so I just thought to made it if you like that that's great if you don't like it that's even fine as well so let's go ahead and catch up in the next video

Info

Channel: Hitesh Choudhary

Views: 18,487

Rating: undefined out of 5

Keywords: Programming, javascript, jwt tokens, server tokens, backend, servers, express, JWT

Id: lk8ONJI3k0c

Channel Id: undefined

Length: 10min 25sec (625 seconds)

Published: Fri Sep 15 2023