Five Important Tips For Working With JWTs

Five Important Tips For Working With JWTs

Nowadays, JSON Web Tokens are the most common way of proving identity information to APIs. The concepts behind JWTs are also quite easy to understand, and it takes only a couple of minutes to have the most basic authentication running.

Nowadays, JSON Web Tokens are the most common way of proving identity information to APIs. The concepts behind JWTs are also quite easy to understand, and it takes only a couple of minutes to have the most basic authentication running.

You’ll find hundreds of articles about JWTs and its use by simply googling how to use jwt.

However, the basics of JWTs are not why we’re here today. Instead, what I want to share with you are some of the experiences we’ve had at Webiny — some not-so-simple problems we’ve encountered and what we’ve learned in the process.

1) Don’t forget to support refresh tokens

Creating a JWT on user login is simple. That’s where 99% of articles end. Unfortunately, the percentage of apps that run on these basic “hello world” implementations is pretty much the same. Make sure you provide your API clients with a way to refresh the JWT when it has expired.

If you’ve ever used any of the identity providers like Okta, Cognito, Auth0, or others, I’m sure you’ve noticed that, upon successful login, they provide an idToken and a refreshToken. There’s a reason for that. Once an idToken has expired, you don’t want to ask your user to log in again.

Some companies’ security policies require a very short lifetime for idTokens (sometimes an hour or so). That’s where you need a refreshToken to automate token regeneration. Otherwise, your users will have to re-login every hour. Annoying, right?

2) Don’t exchange third party tokens

The idea behind token exchange goes like this. A user logs into your identity provider (in our case, it was Cognito) and then you send that idToken to your own API to exchange it for a new idToken, issued by you, based on an already verified identity.

Why would you do that?

Well, business logic permissions can be very complex and, often, they go beyond simple strings like “ADMIN” or “MODERATOR”. If you have a decent-sized app with fine-grained access control, your permissions can become quite complex. Simple string roles are simply not enough (see this issue, where we discuss the next version of Webiny Security layer, to find an example of fine-grained access control).

Another reason to do this is to have a normalized structure of data within the token. Different identity providers provide different ways of specifying permissions/scopes, and they store them in different keys within the token. Cognito, for example, makes it impossible to assign custom attributes if you’re using custom UI with Amplify Auth (which we use in Webiny).

Going with token exchange sounded like a great way to solve all of these problems. Also, storing permissions into a JWT is an efficient way to optimize authorization in a service-oriented architecture, where services communicate with each other. It’s fast and easy to validate a JWT, and you don’t need to issue additional DB or API calls to authorize a user. But then…

serverless webdev aws cloud-computing jwt good-company json json-web-token

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Multi-cloud Spending: 8 Tips To Lower Cost

Mismanagement of multi-cloud expense costs an arm and leg to business and its management has become a major pain point. Here we break down some crucial tips to take some of the management challenges off your plate and help you optimize your cloud spend.

Best Cloud Computing (AWS) Development Company

Develop highly scalable apps on Amazon Cloud Services in India. Mobile App Development India Offers Amazon cloud web services (AWS) for app development, database storage solution, hosting solution etc.

AWS Cloud Practitioner Course | NetCom Learning

Learn AWS cloud concepts, AWS services, security, architecture under AWS cloud practitioner course from AWS certified instructors. Authorized AWS Training

What is Cloud Computing? | Cloud Computing Fundamentals | AWS Training

This Edureka video on What is Cloud Computing will help you learn the fundamentals of Cloud Computing.

Top Cloud Computing Service Providing Companies Reviews

Here is the list of Top Cloud Computing service providers who can give your business a new shift. Cloud technology is the new phase of business augmentation where the tailored business needs are taken forward to resolve various resource security...