Jeremy Troy Suchanski   

Web Frontend Development II

Gary James      

May 11, 2022

L08 Readings Notes

Getting Started with JSON Web Tokens (JWT) (Notes)

WHEN SHOULD YOU USE JSON WEB TOKENS?

-          JSON Web Token (JWT): is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This info can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA.

Compact: Because of its size, it can be sent through an URL, POST parameter, or inside an HTTP header. Additionally, due to its size its transmission is fast.

Self-contained: The payload contains all the required information about the user, to avoid querying the database more than once.

-          Authentication: This is the typical scenario for using JWT, once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used among systems of different domains.

-          Information Exchange: JWTs are a good way of securely transmitting information between parties, because as they can be signed, for example using a public/private key pair, you can be sure that the sender is who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t changed.

WHICH IS THE JSON WEB TOKEN STRUCTURE?

-          JTW structure: consists of three parts (Header, Payload, Signature) separated by dots. (i.e. xxxxx.yyyyy.zzzzz)

-          Header: typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm such as HMAC SHA256 or RSA. Code Example:

{

  "alg": "HS256",

  "typ": "JWT"

}

-          Payload: contains the claims.

claims: statements about an entity (typically, the user) and additional metadata. There are three types of claims: reserved, public, and private claims.

• Reserved claims: These are a set of predefined claims, which are not mandatory but recommended, thought to provide a set of useful, interoperable claims. (i.e iss (issuer), exp (expiration time), sub (subject), aud (audience))
• Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
• Private claims: These are the custom claims created to share information between parties that agree on using them. Code Example:

{

  "sub": "1234567890",

  "name": "John Doe",

  "admin": true

}

-          Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. Code Example:

HMACSHA256(

  base64UrlEncode(header) + "." +

  base64UrlEncode(payload),

  secret)

-          Putting all together: The output is three Base64 strings separated by dots that can be easily passed in HTML and HTTP environments & is compact. jwt.io allows you to decode, verify and generate JWT. Code Example:

HOW JSON WEB TOKENS WORK?

-          JSON Web Token: returned in authentication, when the user successfully logs in using their credentials. Since tokens are credentials, great care must be taken to prevent security issues. In general, you should not keep tokens longer than required and should not store sensitive session data in browser storage due to lack of security. To access a protected route, the browser should send the JWT, typically in the Authorization header using the Bearer schema. (Example: Authorization: Bearer <token>) This is a stateless authentication mechanism as the user state is never saved in the server memory.

WHY SHOULD YOU USE JSON WEB TOKENS?

-          Types of tokens: #1 JSON Web Tokens (JWT) #2 Simple Web Tokens (SWT) #3 Security Assertion Markup Language Tokens (SAML).

-          SAML: JWT more compact.

-          SWT: can only be symmetric signed by a shared secret using the HMAC algorithm. While JWT and SAML tokens can also use a public/private key pair in the form of a X.509 certificate to sign them, but signing with JSON is simpler than with SAML.

-          JSON: parsers are common in most programming languages, because they map directly to objects. XML doesn’t have a natural document-to-object mapping, therefor it is easier to work with JWT than SAML assertions.

 

Develop, Debug, Learn? (Notes)

 

-          Logical Order: Learn – Develop – Debug.

-          Developers: use other people’s code to build our code (i.e. libraries, frameworks, 3rd party, packages, services). Leading to

Develop – Depend – Debug – Learn. Their job is to build things to allow people to do things. They are a delivery service.

-          Focus: should be on the end users. They pay developer’s companies for the things that developers make.

-          Demand Overload: performance, security, accessibility, interoperability, app-readiness, maintenance, automation, frameworks, libraries, CLI/tool customization.

-          The full stack overflow developers: when you don’t know something you go to stack overflow you copy and paste and put it inside your thing.

-          Context switching: (browser, GitHub, IED, Code Pen, Stack Overflow etc) can be mentally exhausting.

-          Developer tools: should prevent us from doing things wrong, instead of patching up what we created. Develop – Learn – Debug

-          Open-source code: is a great resource.

-          Editor, Browser, Docs: your world to build that teach people great practices while they’re developing, not after they messed it up.