Morioh
Login
Jade Bird

Jade Bird

4 years ago

How to Create a JWT Authentication Web API

There is no denying that JWT is a cool breeze and a relief from the feature insanity of OAuth. I once spent a week trying to understand OAuth, I had to give up. There was simply no way I could wrap my brain around it. I could explain JWT to a 5-year-old child in less than 5 minutes. If OAuth is a scrapyard of madness and radioactive waste, JWT is a green field swimming in warm rays of sun after the morning dew has sprinkled the fresh grass made.

A JWT token consists of three simple parts: a header describing the token, a payload that’s the actual token, and a cryptographically secured signature, ensuring the token was created by a trusted source. All three components are base 64 encoded, separated by a “.”, concatenated, and normally provided as a Bearer token in the Authorization HTTP header of your HTTP REST invocations — dead simple in fact.

Below is a typical example of a JWT token.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The reason why this is secure is because some sort of “secret” has been used when creating the signature, which is the last part of the token. Without the secret, you might as well try to brute force the unified theory of science. The thing is solid as a rock! Yet as simple as a cup of coffee on a Sunday morning.

If you copy and paste the above token into the textbox at JWT.io, you can clearly see all individual components in your token. It contains an expiration in the form of a Unix timestamp, a name, and some additional data that, combined, allows you to transparently read the token’s value in your frontend layer.

In your backend, you can easily validate the token by taking its payload, appending your secret to it, and recreating the same hashing value that is in its signature. If the hash is the same, you know the token is valid. This makes it impossible for anyone not knowing the secret that was used to create the hash signature to create a token that is valid for your backend API. And of course, .Net and most other major software development frameworks contain many helper classes and utility methods to help you out with this process.

A week ago, I decided I wanted to create an SSO JWT auth server, which allows me to permanently solve all my “auth problems.” One week later, having worked on it only in the evenings, I was done, and I could pride myself in having a complete SSO JWT authentication and authorization server, covering all my future needs to anything related to auth. Watch me demonstrate the system in the video below.

Sorry, OAuth, you have been weighed, and we have found you to be too heavy. OAuth is dead, long live JWT! ;)

By the way, if you think even adding some ~25 lines of C# code in your Web API is too much, feel free to download Magic, which I am using in the above video to create my SSO JWT AUTH server.

#JavaScript #JSON #Security #WebDev #Api

How to Create a JWT Authentication Web API
6.50 GEEK