How to use JWT with RSA key-pair in micro-services. (JWKS.JSON)
HTML-код
- Опубликовано: 6 июл 2021
- #JWT
In this video you will learn how to use #RSA #private-public key-pair to be used as a secret inside your JWT. Instead of using symmetric key to sign and verify the jwt's, we will be using asymmetric algorithm to sign and verify the jwt. Private key would be used to sign a JWT and the public key would be used to verify the signature of the JWT. The tutorial is based upon the #RFC7517 standard using Json Web Keys. You would be learning how to provide the public key to other micro services using something called a (#JWKS) Json Web Key Sets (#jwks.json).
It's something that is also used by #Auth0, the identity management provider, they use the same logic for client side verification of the #Access tokens.
--------------------------------------------------------------------------
⭐ Kite is a free AI-powered coding assistant that will help you code faster and smarter. The Kite plugin integrates with all the top editors and IDEs to give you smart completions and documentation while you’re typing. I've been using Kite for 6 months and I love it! www.kite.com/get-kite/?...
--------------------------------------------------------------------------
📦FREE $100 credit @Digital Ocean: m.do.co/c/3208f08b3324
Subscribe: ruclips.net/user/yourstruly2...
--------------------------------------------------------------------------
💵Support the channel:
Paypal: www.paypal.me/trulymittal
Patreon: / trulymittal
--------------------------------------------------------------------------
🚀Deploy apps: zeet.co/r/yourstruly
(One FREE project forever 😘)
--------------------------------------------------------------------------
Packages used:
express-draft: www.npmjs.com/package/express...
jsonwebtoken: www.npmjs.com/package/jsonweb...
rsa-pem-to-jwk: www.npmjs.com/package/rsa-pem...
express-jtw: www.npmjs.com/package/express...
jwks-rsa: www.npmjs.com/package/jwks-rsa
RFC7517 datatracker.ietf.org/doc/html...
======================
✔ Other useful Playlists
======================
#RestAPI (#NodeJS and MongoDB): • REST API using NodeJS ...
#API Authentication using #JWT: • NodeJS API Authenticat...
Firebase: • Firebase | Build a Not...
Docker: • Docker
MongoDB: • Learn MongoDB in 50 mi...
Html/Css/Js: • HTML / CSS / JS
Android: • Android
Challenges: • Challenges
#yoursTRULY #tutorial #howto #nodejs
Let's take a moment and appreciate the work you are doing. Honestly, people would charge hundreds of dollars if not thousands for these kind of videos. Very practical and to the point. Amazing explanation. I recently found your channel and believe me the content I'm finding here is exactly what I needed.
Thanks man. Thank you so much for making such helpfull videos for us.
I m glad that you like, comment like this motivates me in bringing more videos like this, thank you, subscribe like share 🙏
This is the place where real software engineers come to worship :) Thanks for these videos. Practical implementation is much required, you are filling the gap very well :)
I share the sentiment as many other folks who have commented here. I went through many videos to get a simple explanation to JWKS and none was as perfect and simple as your explanation. Crisp explanation. Not too fast, not too slow. Keep coming up with more videos.
Thanks for that!
Subscribe like share
I have only just found out your channel, and I really enjoy them! Thank you 😊!
I’m going to search your video library to check some more!
This is excellent video. Exactly what I needed!
A huge thanks for this video! Great flow of the explanation!!!
Plain and simple! Keep going, please.
Welcome back buddy!!, thanks
Man whenever I dig your channel I found something new ❤️
where have you been amigo ? Have been missing these videos. Great to have you back !
I’ll try to be regular every week
simply awesome tutorial. crisp & concise! was stuck because of jwks issues. thanks a lot for this. :)
Glad it helped!
Loved your explanation.
👏👌👌
Thank you for this great resource.
Very grateful to you
Beautiful.
Clear and Crisp.
Love it
Welcome back buddy!!
Superb explanation and giving really good understanding to the securing API end points in microservice architecture using JWT. very practical!, thank you.
Sinclearly explained 👍, got here from Google news on early mornings
good explanation..!! you have covered a lot in this one video. Thanks for sharing your knowledge.
Awesome! Thanks
Very good content, very well explained, amazing stuff.
Thank you for this Great video.
This is another level your are very Amazing
This is simply brilliant
Welcome back, man.🎉🎉
Make a series on microservice application design in nodejs.
Great video.
Master is back
You deserve love
tks for sharing ... amazing teacher!
Glad you liked it!
Welcome back ...
Really good explanation and example. Nice job
Glad you liked it!
Informative with demo
Accurate ❤❤
Very well, thank you for your efforts 🙂
Thanks for watching!
Thaaaank's
I just subscribed. Great video. Very well explained with proper code walkthrough. May I know which IDE you are using and which theme. The IDE color coding looks very cool.
Thanks!
Subscribe like share
Waiting for your next video on node js Micro services
Dude this is an amazing tutorial. Thank you. Quick question for you or anyone. What's the best way to include multiple keys? I have a few different keys on my auth service, for like email verification, resets, two-point auth. Do the keys need to have a name associated with them at that point? Also is there any reason I can't store the key sets in a db? not for my own auth purposes, but I am building an oauth type system so I don't have to keep remaking the front-end logic for all the auth routes, and to offer to use it for my clients' sites as well. So what I have now is I generate keys using crypto, and then save them to an organization model. is that for any reason a security flaw? any suggestions on what I should do instead if there are security concerns.
Very amazing video. Please make a video on jose npm package
Bro it’s the same with more features, you can use that as well
Great piece of work. Just a tiny correction for 2:06 . You should say "symmetric", not "asymmetric "
Thanks for the great tutorial . I have one doubt. You said jwks is the representation of public key but you passed the private key to convert into Jwks
You should start tutorials for Spring boot
❤❤❤
And please make a video on how to deploy node microservice on aws or any other
🧡
Make videos please we need you make more videos on backend and front end
Is there a reason I can't just use environment variables and a db instead of doing all of the work with pem files? My system is set up so a secret is generated for each user and that is then stored as their own secret environment variable. On requests to my auth server it uses that environment variable to set a cookie, and my authserver verifys the jwt in the cookie to the db vs a json file. But isn't it all the same thing basically? Or is doing it this way worth the change in the code. Also it's a lot of dependencies this way and that always worries me.
How can we use jwt for authentication for rest API mitigating XXS & CSRF attack?
At 19:50, you should have explained why you're using "RS265", why not "RS384"? I understand these are not related to the keys that you generated. However, the questions about the choices that you made still confusing to some of us.. as to why you did not use X and used XX instead when they look almost similar. Overall, excellent tutorial though. 😃
hello I have a question, do you recommend to create your own authentication and authorization instead of outsourcing it? or get a library instead? if not what libraries or paid services do you recommend to use in medium scale to large scale application? thank you.
1. outsourcing? Depends on the project size, if small then definitely yes, example (firebase auth, auth0, magic links, etc, you can use any everyone has their advantages)
2. Library? One thing more you can definitely use libraries like - passport, next-auth for next's, etc.
3. If you have a large project, you should OWN your authentication system, otherwise you will be charged a lot in longer run, but that also means that what you are coding for authentication, and it should be rock solid, and only do that if you know what you are doing, otherwise use an authentication service as above.
Can u please make a series on design patterns, like DDD, TDD, SOLID etc, (Clean Code)
It is not available on RUclips for NodeJS, please check this out!
Whether this flow is same as OAuth 2.0 Client Credentials Flow...Can you please check and tell?
In a authentication system, we have two tokens - refreshToken and accessToken. accessToken is needed to be verified on every microservices so, we definetly use public and private key pair for it. But the refreshToken is used to verify only on the auth service to return a access token. So, do we use public and private key pair of the refreshToken also or stick with secrets.
Exactly you are correct, you can easily use secrets for refresh tokens, only access tokens need pub/priv key
@@mafiacodes Thanks!
@@mafiacodesIf we have secret then we use env vars. But here we cannot push the cert folder to github or set them as env vars. So, how to handle deployment with public key and private key.
How to setup authentication for mongodb in kubernetes
I have a confuse, when you publish a jwk.json then attackers also be able to get it and use the man-in-the-middle attack method to decode, verify and change some information? can you explain it for me??? thanks advanced!
Only public key is exposed, and in an asymmetric algorithm like RSA, public key is publishable and it is no harm because public key is meant for public, moreover one can only verify the authenticity of the token with this key, he will not be able to modify the token in any way, incase if he does modify the token would not be valid when verified with a public key.
I got it, thank you so much!
Hi sir,
Can you please tell me the zsh mod you are using? Your terminal looks beautiful
Thank you
he is using Spaceship-prompt
how can I use this method with nginx?
Please
You will write this way for express rest api
If both auth and resource modules are in same project, can we use directly public key to verify jwt
Yes
Can we store the keys for RSA in .env files?
Should we include or exclude .pem files while pushing to remote git repo and deployment??
you can use your rsa PUBLIC (ONLY PUBLIC) wherever you want, and just keep the private key safely locked...
@@mafiacodes where can we store it for a Docker application?
I echo Krishna Jha
Getting undefined when passed pem files to rsaPemToJwk() function...
Any one can help me ?
Note:the pem files is readed properly and import also done property...
Getting same error here! @yoursTRULY267
const b = Buffer.from(privateKey, "utf-8");
let cert = b.toString();
let certString = cert + "
";
const jwk = rsaPemToJwk(certString, { use: "sig" }, "public");
console.log(jwk);
Hello my dear brother, can I ask for help in decrypting the data of a game I want to modify
like what?
Where to store the token???
use either httpsOnly cookies or authorised headers
Good night! Why such a result is returning?:
node convertPemToJWK.js
undefined
Please, help me!
@Sahil Arora not yet