• Albert Bennett

Authentication : Tokens (JWT)

Updated: Aug 21, 2019

So... what is this magical thing? Basically a JWT (Json Web Token) is a string that proves that the user is genuine. It also contains a list of permissions and a resource that you can access using the token. Most tokens have an expiry attached to them, when this is up the token can no longer be used. Also when the request comes in for the token you can also get a refresh token. This can be exchanged for a new token, without the user having to re-login or do any of that nonsense, making for a much better user experience.

They work on the bases that the user gives the authorization authority some information (username and password). These credentials are then passed on and exchanged for a token. Each library has it's own ways of doing this, so it isn't always necessary for the user to pass on this information each time that they want to access the resource. Especially if the has already signed-in to the resource (think Microsoft login page). Things can be a little different server-side in the since that permissions will have to be consented to by an admin, not the user. In that situation service accounts can be used instead :).

Tokens are normally consumed by passing them on as a barer token in the authorization header of a Http request. Normally, not the rule though. Each api can manage it's authorization in different ways. So, do plenty of research before hand.

Also when I first started learning about authentication, one of the online tools that I would use to make sure that the token was legit is JWT.io. It's a tool that decodes JWT and you can then see what properties the token has.

21 views0 comments

Recent Posts

See All