SlideShare ist ein Scribd-Unternehmen logo
1 von 17
Downloaden Sie, um offline zu lesen
Presented By: Sumit
JSON WEB TOKEN
Introduction
JWT:
JSON Web Tokens (JWT) are an open, industry standard RFC 7519 method for representing
claims securely between two parties
Authorization strategies:
1) Session token
2) JSON web token
Session Token:
In the session based authentication, the server will create a session for the user after the user
logs in. The session id is then stored on a cookie on the user’s browser. While the user stays
logged in, the cookie would be sent along with every subsequent request. The server can then
compare the session id stored on the cookie against the session information stored in the
memory to verify user’s identity and sends response with the corresponding state!
Anyone Authorization mechanism session-based or JWT or any other authorization think in the
future they have one thing to blame that is HTTP.
HTTP:
HTTP is a stateless protocol. This means a HTTP server needs not keep track of any state
information. So, every Interaction in HTTP needs to contains all the needed information for that
interaction, nothing is remembered. No state is maintained over like multiple requests.
Session Token working
Session Token Problem:
Modern web app has multiple servers and has load balancer to decide which server to route the
request. Let suppose so the server could have a login request in server 1 and the session in the
memory is server-1 the next request goes throw the load balance in server-2 now server-2 is no
idea about the previous exchanges. Only server-1 is recognized the id token. 
JWT Architecture
If you can decode JWT, how are they secure ?
JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone
can read its content, but when you don’t know the private key, you can’t change it. otherwise, the
receiver will notice that the signature won’t match anymore.
What happen if your json web token is stolen?
It’s a bad real bad.
Because JWT are use to identify the client , if one is stolen , an attacker has full access to the
user’s account information.
If attacker get a hold of your JWT they could start sending request to the server identifying
himself as you and do thing like make service changes , user account update etc.
Once an attacker has your JWT it is game over.
But there is one thing that make a stolen JWT slightly less bad than a stolen username and
password: timing. Because JWT can be configured to automatically expire after a set of amount
attacker only use your JWT to access the service until it expire.
One of the ways token authentication is said to make authentication more “secure” is via
short-lived token.
When should you use JSON web token?
● Authorization: This is the most common scenario for using JWT. once the user is logged in,
each subsequent request will include the JWT, allowing to user the access routes, services,
and resources that are permitted with that token.
● Information Exchange: JSON Web Tokens are a good way of securely transmitting
information between parties. Because JWT can be signed- for example using
public/private key pairs- you can be sure the sender who they say they are.
How does JWT look like?
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gR
G9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c.
JSON Web Token structure:
1) Header
2) Payload
3) Signature
HEADER:
The header typically consists of two parts: the type of the token, which is JWT, and the signing
algorithm being used, such as HMAC, SHA256 or RSA.
Payload:
The second part of the token is the payload, which contains the claims. Claims are statements
about an entity (typically, the user) and additional data.
There are three types of claims:
● Registered
● Public
● Private claims.
Registered claims:
These are the set of predefined claims which are not mandatory but recommended, to
provide a set of useful, interoperable claims. Example sub(subject), exp(expiration time) and
others.
Public claims:
These can be defined at will by those using JWTs. But to avoid collision they should be defined
in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant
namespace.
Private claims:
These are the custom claims created to share information between parties that agree on
using them and are neither registered or public claims.
An example payload could be:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
Signature:
●To create the signature part you have to take the encoded header, the encoded payload, a
secret, the algorithm specified in the header, and sign that.
Putting all together:
Thank You !

Weitere ähnliche Inhalte

Was ist angesagt?

Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Mediacurrent
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerVMware Tanzu
 
Angular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationAngular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationWebStackAcademy
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)Amit Gupta
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Client-side JavaScript
Client-side JavaScriptClient-side JavaScript
Client-side JavaScriptLilia Sfaxi
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 

Was ist angesagt? (20)

JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
 
Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication Using JSON Web Tokens for REST Authentication
Using JSON Web Tokens for REST Authentication
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinModern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Getting Started with Spring Authorization Server
Getting Started with Spring Authorization ServerGetting Started with Spring Authorization Server
Getting Started with Spring Authorization Server
 
Angular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationAngular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and Authorization
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Json
JsonJson
Json
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)5 easy steps to understanding json web tokens (jwt)
5 easy steps to understanding json web tokens (jwt)
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Client-side JavaScript
Client-side JavaScriptClient-side JavaScript
Client-side JavaScript
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Ajax Presentation
Ajax PresentationAjax Presentation
Ajax Presentation
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 

Ähnlich wie JSON WEB TOKEN

Jwt the complete guide to json web tokens
Jwt  the complete guide to json web tokensJwt  the complete guide to json web tokens
Jwt the complete guide to json web tokensremayssat
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...Uniface
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Jwt with flask slide deck - alan swenson
Jwt with flask   slide deck - alan swensonJwt with flask   slide deck - alan swenson
Jwt with flask slide deck - alan swensonJeffrey Clark
 
Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesRodrigo Cândido da Silva
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API ManagerWSO2
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
Bitcoin story of programable currency
Bitcoin story of programable currencyBitcoin story of programable currency
Bitcoin story of programable currencyHossam Soffar
 
Create your own token
Create your own tokenCreate your own token
Create your own tokenshira william
 
Polling system solution using blockchain & Liferay
Polling system solution using blockchain & LiferayPolling system solution using blockchain & Liferay
Polling system solution using blockchain & LiferayDhanraj Dadhich
 

Ähnlich wie JSON WEB TOKEN (20)

Jwt the complete guide to json web tokens
Jwt  the complete guide to json web tokensJwt  the complete guide to json web tokens
Jwt the complete guide to json web tokens
 
Landscape
LandscapeLandscape
Landscape
 
Landscape
LandscapeLandscape
Landscape
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWT
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Jwt with flask slide deck - alan swenson
Jwt with flask   slide deck - alan swensonJwt with flask   slide deck - alan swenson
Jwt with flask slide deck - alan swenson
 
Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and Strategies
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
 
Authorization Using JWTs
Authorization Using JWTsAuthorization Using JWTs
Authorization Using JWTs
 
INFRA v2
INFRA v2INFRA v2
INFRA v2
 
Jwt
JwtJwt
Jwt
 
Json web tokens
Json web tokensJson web tokens
Json web tokens
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
BlockChain Public
BlockChain PublicBlockChain Public
BlockChain Public
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
 
Bitcoin story of programable currency
Bitcoin story of programable currencyBitcoin story of programable currency
Bitcoin story of programable currency
 
Create your own token
Create your own tokenCreate your own token
Create your own token
 
Polling system solution using blockchain & Liferay
Polling system solution using blockchain & LiferayPolling system solution using blockchain & Liferay
Polling system solution using blockchain & Liferay
 

Mehr von Knoldus Inc.

Mastering Distributed Performance Testing
Mastering Distributed Performance TestingMastering Distributed Performance Testing
Mastering Distributed Performance TestingKnoldus Inc.
 
MLops on Vertex AI Presentation (AI/ML).pptx
MLops on Vertex AI Presentation (AI/ML).pptxMLops on Vertex AI Presentation (AI/ML).pptx
MLops on Vertex AI Presentation (AI/ML).pptxKnoldus Inc.
 
Introduction to Ansible Tower Presentation
Introduction to Ansible Tower PresentationIntroduction to Ansible Tower Presentation
Introduction to Ansible Tower PresentationKnoldus Inc.
 
CQRS with dot net services presentation.
CQRS with dot net services presentation.CQRS with dot net services presentation.
CQRS with dot net services presentation.Knoldus Inc.
 
Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...
Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...
Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...Knoldus Inc.
 
Introduction to Buildpacks.io Presentation
Introduction to Buildpacks.io PresentationIntroduction to Buildpacks.io Presentation
Introduction to Buildpacks.io PresentationKnoldus Inc.
 
Introduction to Falco presentation.pptxx
Introduction to Falco presentation.pptxxIntroduction to Falco presentation.pptxx
Introduction to Falco presentation.pptxxKnoldus Inc.
 
Spark Unveiled Essential Insights for All Developers
Spark Unveiled Essential Insights for All DevelopersSpark Unveiled Essential Insights for All Developers
Spark Unveiled Essential Insights for All DevelopersKnoldus Inc.
 
Understanding System Design and Architecture Blueprints of Efficiency
Understanding System Design and Architecture Blueprints of EfficiencyUnderstanding System Design and Architecture Blueprints of Efficiency
Understanding System Design and Architecture Blueprints of EfficiencyKnoldus Inc.
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Getting Started With React Native Presntation
Getting Started With React Native PresntationGetting Started With React Native Presntation
Getting Started With React Native PresntationKnoldus Inc.
 
Elastic Search Capability Presentation.pptx
Elastic Search Capability Presentation.pptxElastic Search Capability Presentation.pptx
Elastic Search Capability Presentation.pptxKnoldus Inc.
 
Kotlin With JetPack Compose Presentation
Kotlin With JetPack Compose PresentationKotlin With JetPack Compose Presentation
Kotlin With JetPack Compose PresentationKnoldus Inc.
 
Angular AG grid and its features with Pagination
Angular AG grid and its features with PaginationAngular AG grid and its features with Pagination
Angular AG grid and its features with PaginationKnoldus Inc.
 
Grafana Loki (Monitoring Tool) Presentation
Grafana Loki (Monitoring Tool) PresentationGrafana Loki (Monitoring Tool) Presentation
Grafana Loki (Monitoring Tool) PresentationKnoldus Inc.
 
Components in Ionic Presentation (FrontEnd)
Components in Ionic Presentation (FrontEnd)Components in Ionic Presentation (FrontEnd)
Components in Ionic Presentation (FrontEnd)Knoldus Inc.
 
Testing Harmony Design Patterns & Anti-Patterns Unveiled
Testing Harmony Design Patterns & Anti-Patterns UnveiledTesting Harmony Design Patterns & Anti-Patterns Unveiled
Testing Harmony Design Patterns & Anti-Patterns UnveiledKnoldus Inc.
 
Introduction to AWS CloudWatch Presentation
Introduction to AWS CloudWatch PresentationIntroduction to AWS CloudWatch Presentation
Introduction to AWS CloudWatch PresentationKnoldus Inc.
 
Benefit of scrum ceremonies presentation
Benefit of scrum ceremonies presentationBenefit of scrum ceremonies presentation
Benefit of scrum ceremonies presentationKnoldus Inc.
 
Unleashing Real-time Power with Kafka.pptx
Unleashing Real-time Power with Kafka.pptxUnleashing Real-time Power with Kafka.pptx
Unleashing Real-time Power with Kafka.pptxKnoldus Inc.
 

Mehr von Knoldus Inc. (20)

Mastering Distributed Performance Testing
Mastering Distributed Performance TestingMastering Distributed Performance Testing
Mastering Distributed Performance Testing
 
MLops on Vertex AI Presentation (AI/ML).pptx
MLops on Vertex AI Presentation (AI/ML).pptxMLops on Vertex AI Presentation (AI/ML).pptx
MLops on Vertex AI Presentation (AI/ML).pptx
 
Introduction to Ansible Tower Presentation
Introduction to Ansible Tower PresentationIntroduction to Ansible Tower Presentation
Introduction to Ansible Tower Presentation
 
CQRS with dot net services presentation.
CQRS with dot net services presentation.CQRS with dot net services presentation.
CQRS with dot net services presentation.
 
Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...
Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...
Building Resilient Software A Deep Dive into Self-Healing Test Automation Fra...
 
Introduction to Buildpacks.io Presentation
Introduction to Buildpacks.io PresentationIntroduction to Buildpacks.io Presentation
Introduction to Buildpacks.io Presentation
 
Introduction to Falco presentation.pptxx
Introduction to Falco presentation.pptxxIntroduction to Falco presentation.pptxx
Introduction to Falco presentation.pptxx
 
Spark Unveiled Essential Insights for All Developers
Spark Unveiled Essential Insights for All DevelopersSpark Unveiled Essential Insights for All Developers
Spark Unveiled Essential Insights for All Developers
 
Understanding System Design and Architecture Blueprints of Efficiency
Understanding System Design and Architecture Blueprints of EfficiencyUnderstanding System Design and Architecture Blueprints of Efficiency
Understanding System Design and Architecture Blueprints of Efficiency
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Getting Started With React Native Presntation
Getting Started With React Native PresntationGetting Started With React Native Presntation
Getting Started With React Native Presntation
 
Elastic Search Capability Presentation.pptx
Elastic Search Capability Presentation.pptxElastic Search Capability Presentation.pptx
Elastic Search Capability Presentation.pptx
 
Kotlin With JetPack Compose Presentation
Kotlin With JetPack Compose PresentationKotlin With JetPack Compose Presentation
Kotlin With JetPack Compose Presentation
 
Angular AG grid and its features with Pagination
Angular AG grid and its features with PaginationAngular AG grid and its features with Pagination
Angular AG grid and its features with Pagination
 
Grafana Loki (Monitoring Tool) Presentation
Grafana Loki (Monitoring Tool) PresentationGrafana Loki (Monitoring Tool) Presentation
Grafana Loki (Monitoring Tool) Presentation
 
Components in Ionic Presentation (FrontEnd)
Components in Ionic Presentation (FrontEnd)Components in Ionic Presentation (FrontEnd)
Components in Ionic Presentation (FrontEnd)
 
Testing Harmony Design Patterns & Anti-Patterns Unveiled
Testing Harmony Design Patterns & Anti-Patterns UnveiledTesting Harmony Design Patterns & Anti-Patterns Unveiled
Testing Harmony Design Patterns & Anti-Patterns Unveiled
 
Introduction to AWS CloudWatch Presentation
Introduction to AWS CloudWatch PresentationIntroduction to AWS CloudWatch Presentation
Introduction to AWS CloudWatch Presentation
 
Benefit of scrum ceremonies presentation
Benefit of scrum ceremonies presentationBenefit of scrum ceremonies presentation
Benefit of scrum ceremonies presentation
 
Unleashing Real-time Power with Kafka.pptx
Unleashing Real-time Power with Kafka.pptxUnleashing Real-time Power with Kafka.pptx
Unleashing Real-time Power with Kafka.pptx
 

Kürzlich hochgeladen

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 

Kürzlich hochgeladen (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 

JSON WEB TOKEN

  • 2. Introduction JWT: JSON Web Tokens (JWT) are an open, industry standard RFC 7519 method for representing claims securely between two parties Authorization strategies: 1) Session token 2) JSON web token
  • 3. Session Token: In the session based authentication, the server will create a session for the user after the user logs in. The session id is then stored on a cookie on the user’s browser. While the user stays logged in, the cookie would be sent along with every subsequent request. The server can then compare the session id stored on the cookie against the session information stored in the memory to verify user’s identity and sends response with the corresponding state! Anyone Authorization mechanism session-based or JWT or any other authorization think in the future they have one thing to blame that is HTTP. HTTP: HTTP is a stateless protocol. This means a HTTP server needs not keep track of any state information. So, every Interaction in HTTP needs to contains all the needed information for that interaction, nothing is remembered. No state is maintained over like multiple requests.
  • 5. Session Token Problem: Modern web app has multiple servers and has load balancer to decide which server to route the request. Let suppose so the server could have a login request in server 1 and the session in the memory is server-1 the next request goes throw the load balance in server-2 now server-2 is no idea about the previous exchanges. Only server-1 is recognized the id token. 
  • 7. If you can decode JWT, how are they secure ? JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone can read its content, but when you don’t know the private key, you can’t change it. otherwise, the receiver will notice that the signature won’t match anymore.
  • 8. What happen if your json web token is stolen? It’s a bad real bad. Because JWT are use to identify the client , if one is stolen , an attacker has full access to the user’s account information. If attacker get a hold of your JWT they could start sending request to the server identifying himself as you and do thing like make service changes , user account update etc. Once an attacker has your JWT it is game over. But there is one thing that make a stolen JWT slightly less bad than a stolen username and password: timing. Because JWT can be configured to automatically expire after a set of amount attacker only use your JWT to access the service until it expire. One of the ways token authentication is said to make authentication more “secure” is via short-lived token.
  • 9. When should you use JSON web token? ● Authorization: This is the most common scenario for using JWT. once the user is logged in, each subsequent request will include the JWT, allowing to user the access routes, services, and resources that are permitted with that token. ● Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWT can be signed- for example using public/private key pairs- you can be sure the sender who they say they are.
  • 10. How does JWT look like?
  • 12. JSON Web Token structure: 1) Header 2) Payload 3) Signature HEADER: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC, SHA256 or RSA.
  • 13. Payload: The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: ● Registered ● Public ● Private claims. Registered claims: These are the set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Example sub(subject), exp(expiration time) and others.
  • 14. Public claims: These can be defined at will by those using JWTs. But to avoid collision they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace. Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims. An example payload could be: { "sub": "1234567890", "name": "John Doe", "admin": true }
  • 15. Signature: ●To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.