Json Web Tokens
In this lesson, we're going to learn about Json Web Tokens
Get the project source code below, and follow along with the lesson material.
Download Project Source CodeTo set up the project on your local machine, please follow the directions provided in the README.md file. If you run into any issues with running the project source code, then feel free to reach out to the author in the course's Discord channel.
This lesson preview is part of the The newline Guide to Fullstack ASP.NET Core and React course and can be unlocked immediately with a single-time purchase. Already have access to this course? Log in here.
Get unlimited access to The newline Guide to Fullstack ASP.NET Core and React with a single-time purchase.
[00:00 - 00:12] Now, we have an endpoint for authenticating users, but we are returning all the user information which is inappropriate. What we really need to return should be a token, which is called a JSON web token.
[00:13 - 00:19] Now, what is a JSON web token? It's basically a string which identifies a user.
[00:20 - 00:27] You can also call it a user's passport online. So whenever the user logs in, the server verifies the email and the password.
[00:28 - 00:49] And as an identifier, it returns a JSON web token, which is stored inside the user's browser until the user is logged in. And all the future requests the JSON web token is shared as a proof that it's you, so that you don't have to mention your email and the password before making any request to the server just to verify yourself.
[00:50 - 00:59] With this, you log in once and until you log out, it authorizes you to make future requests. Now let's see how the JSON web token looks like.
[01:00 - 01:12] Let's open JWT.io and this website has a debugger for working with the JSON web tokens. Inside the encoded box is a real JSON web token.
[01:13 - 01:22] It's a long string which represents an object with multiple properties. You see three colors here, red, purple and blue.
[01:23 - 01:31] Each color represents a different property. The red part of the token is the header, which consists of algorithm and the type.
[01:32 - 01:40] You can also change the algorithm from here. And algorithm is basically a type of algorithm used to make this token.
[01:41 - 01:45] Now comes a part where the actual information is present. This is called payload.
[01:46 - 01:55] Here it's an object with sub which is kind of an ID. It also has a name and IIT which stands for issued at.
[01:56 - 02:03] IIT is a timestamp when the token was generated. This payload simply includes the public properties of a user.
[02:04 - 02:10] Like a passport has your public information such as your name, residence, etc. It's not very different from that.
[02:11 - 02:21] We as developers can choose which properties we want to use as part of the JSON web token. So that when we need the name of the user, we don't have to make the API call every time.
[02:22 - 02:30] Another use case for us can be including if the user is an instructor. We can include the property instructor and make it true.
[02:31 - 02:38] Doing this can give more access to the instructor. Now you must be wondering if adding properties to the token is that easy.
[02:39 - 02:46] Any normal user can edit the token and they can claim themselves to be an instructor. Well, here the third part of the token comes in.
[02:47 - 02:54] It's a digital signature. This is created based on the content of the JSON web token along with the secret key.
[02:55 - 03:06] And the secret key which is used is only available in the server which we will see. So if the user tries to modify the token with additional properties, the digital signature will stand invalid.
[03:07 - 03:19] So whenever the data changes, it requires a valid digital signature which can be valid only if it is generated by the server. All the invalid JWT will be declined by the server.
[03:20 - 03:25] So you don't have to worry about the JSON web token security. Well, this is what JSON web tokens are.
[03:26 - 03:28] Let's start generating them from the server in the next lesson.