The world where data is so crucial, it’s organizations responsibility to protect their user’s data. The token-based authentication is a very popular technique nowadays to securely communicates and shearing information between two parties. Today, most of the companies already started using token-based authentication instead of password logins.
In this article, we’ll see one of the best authentication technique called “JWT” and cover the all the below points –
- What is a Token?
- What is a token-based authentication?
- Why token-based authentication is batter and secure than password logins?
- What is JWT?
- How it works?
What is a token?
A token is a highly secure pattern used to transmit sensitive data between two parties with a well-formed structure. Tokens are the strengthening of the authentication process. Can be used in websites and applications within both server and client sides.
It has three different parts:
- A header which defined the algorithms used to encrypt it and type of token.
- A Payload is the main part of the token which contains the information and other metadata.
- A Signature which verifies the sender and authenticity of the message.
What is a token-based authentication?
Token-based authentication is a web authentication protocol that allows users to verify their identity a single time and receive a uniquely-generated encrypted token in exchange. For a designated period time, this token is how users access protected pages or resources instead of having to re-enter their login credentials.
Why token-based authentication is batter and secure than password logins?
In many sites, we are facing the login problems. We have to continuously enter the credential details. While in token-based authentication you just have to login once and each time server verifies you by the token within a designated period of time.
Every time while registering you see the message below the password cell, "Please enter a strong password" or certain rules that you must have follow to create a password. Because passwords created by humans tend to pretty vulnerable and easy to break.
Also, tokens lead to many advantages. Like -
In many sites, we are facing the login problems. We have to continuously enter the credential details. While in token-based authentication you just have to login once and each time server verifies you by the token within a designated period of time.
Every time while registering you see the message below the password cell, "Please enter a strong password" or certain rules that you must have follow to create a password. Because passwords created by humans tend to pretty vulnerable and easy to break.
Also, tokens lead to many advantages. Like -
- Like HTTP, Tokens also are stateless.
- Easy to generate
- Fine access control
What is JWT?
JSON Web Token, commonly known as JWT is the token-based authentication technique. The applications which use JWT have no need to hold cookies at client-side and session at the server-side. It uses RFC 7519 (Request for Comments 7519) method for representing secure connection between two parties.
From the past few years, this technology getting more popular. So, nowadays, most web apps use this to make their user information private and protected. We can say that securing network, application, or service, token-based authentication adds a second layer to the security.
JWTs looks like -
JSON Web Token, commonly known as JWT is the token-based authentication technique. The applications which use JWT have no need to hold cookies at client-side and session at the server-side. It uses RFC 7519 (Request for Comments 7519) method for representing secure connection between two parties.
From the past few years, this technology getting more popular. So, nowadays, most web apps use this to make their user information private and protected. We can say that securing network, application, or service, token-based authentication adds a second layer to the security.
JWTs looks like -
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjE1MTAiLCJuYW1lI
joiQmhhcmF0IFZvcmEiLCJ3ZWJzaXRlIjoiYmhhcmF0dm9yYTgxNC5ibG9nc3BvdC5
jb20ifQ.qLbUTNw1gZxfvCaqCAEs7bHgb6lI77slPF8NMYGeqXQ
Header - Payload - Signature
You can see the dot(.) in the token, which is for identifying header, payload, and signature.
After decoding this will looks -
Header -
Payload -
Signature -
Copy this token and paste it here and see how it works by customizing this.
After decoding this will looks -
Header -
{
"alg": "HS256",
"typ": "JWT"
}Payload -
{
"id": "1510",
"name": "Bharat Vora",
"website": "bharatvora814.blogspot.com"
}Signature -
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
your-256-bit-secret-key
)
Copy this token and paste it here and see how it works by customizing this.
Two types of tokens
JWT is acquired by exchanging an username and password for an access token and refresh token.
Access Token: This type of token is usually short-lived (expires in 5-10 minutes) and can be customizable.
Refresh Token: This type of token lives a little bit longer (expires in 24 hours) than access token and can be customizable. After it expires user need to verify their details with full login using username and passwords to generate new token.
How JWT works?
JWT is acquired by exchanging an username and password for an access token and refresh token.
Access Token: This type of token is usually short-lived (expires in 5-10 minutes) and can be customizable.
Refresh Token: This type of token lives a little bit longer (expires in 24 hours) than access token and can be customizable. After it expires user need to verify their details with full login using username and passwords to generate new token.
How JWT works?
Whenever users login to the system with their credentials, a JSON Web Token automatically generated by the server and send it to the user as an acknowledgment, must be saved locally. So, wherever, user access any of the protected service, the user agent attach JWT in the header with that request.
At the server-side, when the server receiver request attached with JWT, first it validates the token. The validation steps are as below and if token fails in any of the steps then the request will be rejected.
- Is JWT is well-formed
- Signature checking
- Validate the standard claims
- check the permissions of the client
I hope this article helped you to clear all your doubts regarding token-based authentication and JWT authentication. I'll cover the programming part of How to create Django application in the next article. So make sure you subscribed my blog.
If you really like this💯, then follow🌈 me by Clicking Follow💥 button next to comment section.🤩🥰
Stay Connect with me 😃
Thank you 💙😇