What is JWT Authentication?
Exploring how token authentication works in practise
Codecast is a reader supported publication. If you want a regular supply of well composed, concise, informative, and current articles on a variety of programming topics, you should subscribe:
JSON Web Token or JWT is an open-standard (RFC 7519) method of secure information exchange between two parties using a JSON object as a token. It is a popular Token-based authentication method on the web.
How does it work in practise?
There are three main entities participating in this whole process: the client, the server for authentication the user, and the server for the task (resource) that we want to perform after authentication with a JWT.
The process is divided into two main steps:
Step 1 occurs when the user performs an action such as “sign in” and the authentication server receives the request, generates and sends an authentication JWT token back to the client. This token usually has an expiry time attached to it.
Step 2 is when the client goes ahead and access the data/resource on the resource server with the auth token in, for example, in the API header.
Now let’s look at some of the uses of JWTs and pros to using them in web apps.
It has many popular use cases, a couple of them include:
As you might have already guessed, in user authentication. JWT authentication enables a user successfully logs in using their credentials into an online application.
Securing web API calls from client to server in web app
Some of the advantageous of using this token authentication method of information exchange is due to the:
Benefit of security: the information contained within the JSON object can be verified and trusted because it is digitally signed, and it also comes with an expiry so it doesn’t persist on the server beyond necessity
Benefit of statelessness: it is an entirely client-side based authentication mechanism and the server does not have to store any user session data
Benefit of compactness: a JWT can simply be passed in the header of an API call in HTTP environment and is easier to process and hence more scalable than something like the SAML protocol
Thanks for reading! :)
I am also active on Twitter.
If you liked this article, maybe share it with a friend?