By Matías Nieves

What is it for?

Token based authentication is a new security technique for authenticating a user who attempts to log in to a secure system (e.g. server), using a signed token provided by the server.

The authentication is successful if the system can prove that the tokens belong to a valid user.

It is important to note that Json Web Token (JWT) provides signed tokens but not encrypted ones, so passwords or any critical information must not be included in the token unless you encrypt the data (e.g. using JWE).

Why use it?

Here are some advantages of choosing JWT:

  • Standard: JWT is becoming a standard, and there a multiple libraries for a lot of languages (Ruby, Java, Python, Node, Backbone). So the integration with your language or technology should be pretty easy.
  • Cross-domain / CORS: Since the information is transmitted using an HTTP header, you are able to make AJAX requests to any server or domain.
  • Protection from CSRF: The token must be included in every request made to the server, and will be validated by the server. The token is linked to the user’s current session.
  • Server side Scalability: The token is self-contained(i.e. contains all the user info), so there’s no need to keep a session store. The rest of the state lives in the client’s local storage.
    The token might be generated anywhere, so you are not tied to any specific authentication scheme, decoupling this process from your application.

Warning: since the information is transmitted in an HTTP header and its size is limited, the token size could be an issue.

How does it work?

Let’s see an example of how to use JWT to authenticate a user. In this example we will be using Ruby, Rails and AngularJS.

Server Side

Let’s suppose we have an authentication controller.

When a post to create a session comes to the server, we validate the user and create a new JWT.

Then, for every request we have to validate the token before processing it.

Let’s take a look at the token. When we encode a new token, we get this string:

Then, when we decode the token, we retrieve this:

If we want, we could add some claims to the token:

  • exp : identifies the expiration time on or after the token MUST NOT  be accepted for processing.
  • nbf : identifies the time before the token MUST NOT be accepted for processing.
  • iat : identifies the time when the  JWT was issued.

Client Side

An example of a sign in request to the server from the Angular app.

Once we have the token, we can make any request to the server using the token.

Reference Links

  • Chris

    Hi, I’m the maintainer for a new gem called ruby_jwt, It allows for all the currently supported algorithm types: HMAC, RSA, ECDSA, and none. It also has built in verification for the expiration, issuer, audience, and not before claims. Please take a look if you get a chance.