JSON Web Tokens

[00:00:00]
>> Maximiliano Firtman: What's next? So, of course, you know that we should have this account page, and then Favorites and Watchlist. But now we have another problem. So, account, how do I know that I'm logged in? So I should see the account page only if I'm logged in. So, first.

[00:00:19]
How my router knows if I'm logged in.
>> Maximiliano Firtman: It doesn't know actually. And also, how do we talk to the server later for things that are available only to authenticated user? How does the server know that I have authenticated you, five minutes ago? And I have permission to do that?

[00:00:50]
So I mean the authentication process works. So the service email, okay? But for that I need the username and password, the email, the password. So do I save the email and the password in a variable or in local storage, so then every time I talk to the server, I have the username and password so the server can validate me.

[00:01:08]
I mean, I can do that, but from a security point of view, it makes no sense. Just store the password, client side, anyone can see the password. It's not a good. So we need to find a solution. There are many solutions out there. A classic solution was to create a session server side.

[00:01:28]
What's a session? It's a concept server side that involves a cookie.So, we send a cookie, but the cookies shouldn't have the password, the cookies, some bytes. The browser is storing client side, and it's sending that to the server on every HTTP request. But the cookie has problems. You know that they're a problem.

[00:01:48]
Okay? So another solution is called JWT, JSON Web Token. I'm not sure if you have heard about it. Do you know? Can you define? What's JSON Web Token? Anyone? JSON Web Token.
>> Speaker 2: Temporal key that you carry around with your requests?
>> Maximiliano Firtman: So it's a key suggested pronunciation that one as jot, whatever, or jot.

[00:02:16]
I haven't used that pronunciation, Creation, anyway. So it's a spec, okay? It's a standard that actually is really standard. It has its own RFC. So it's really a standard that let us save data, including private data. It can be the email of the user. You may want. You may.

[00:02:38]
Save the password. You don't need to actually, but you can save the password if you want or any data that you wanna save client side and you don't need to do anything server side. That means I don't need to save a database or creating memory a session, nothing.

[00:02:57]
So it's a safe way To store data in the browser, but only the server can access the data. It's like I will get I will prepare some data. So I will take something, it will take this. I will put some data inside and somehow I encode that. I wrap that in a secure thing.

[00:03:19]
Okay. Store this every time you want to talk to me, send me this. And the only one that can unwrap this or can decrypt this is me. Because I have I have a private key on my server, and you can decrypt that only with the private key. So that means that if anyone.

[00:03:39]
Is reading the JSON web token client side, it can't read the contents inside. So it's like a credential, I have one here, like this. This is my hotel keycard. It's a keycard that I don't know what's inside actually, this is a A contact list, so there is something written in there, but I cannot read it, okay, and even if I read it, it's probably encrypt.

[00:04:05]
I don't know if it's encrypted or not, but maybe it may be encrypted. So I can do anything but someone that had the authority gave me this, and now I have this, and I can then present my credentials. Just by showing the car, even if I can't open the car and see what's inside, I can use the car to present my credentials to my room, also to the business center, to the pool.

[00:04:31]
So, different places I can just show the hotel car, and that's JSON Web Token. JSON Web Token is. Not matching. It also has some problems, because what happens if someone is Hijacking My Computer and stolen my JSON Web Token? Well, it's like someone there's now still in my hotel car.

[00:04:54]
If they know where the hotel is, and if they know my room number, they can get in. okay. The same happens with JSON web token. So that means that that's why JSON Web Tokens also have expiration. And typically we tend to do short expiration. It depends on the system.

[00:05:16]
It can be minutes, 10 minutes. It can be hours. It can be days. It depends on the project. You decide. When you create the web token, you set the expiration in the token. What happens when it's expired? Actually, this key has an expiration. Let me show you if you know that.

[00:05:35]
But if I'm checking out tomorrow from my hotel and I. Come back next week. It's not going to work on the same room, because it has an expiration. So it's the same thing. Okay? So I have the authority to use this, but only for a while, for a period of time, and when, when that happens, when that expire, I need to request a new one.

[00:05:55]
I need to request a new web token. Okay, that's. That's roughly quickly how web tokens work, okay?