Introduction to JWT (JSON Web Token) - Securing apps & services
HTML-код
- Опубликовано: 10 сен 2024
- -What is JWT (JSON Web Token)
-What is the structure of JWT
-What are Header, Payload (claims) and Signature of JWT
-How is JWT used in applications
-How to create, tamper and verify JWT (understanding JWT, with no code)
After hours of reading articles, this finally helped me to understand how everything fits together. Great explanation.
Thank you..
Wow...this video was phenomenal. I was having some trouble wrapping my head around the flow of JWT's and this video cleared it up completely!
Give a cookie to this man! Nice video I love you my men
Ha ha..Thank you
Cookies are what he wants us to avoid.
Funny Jasmeete...Very funny..Excellent sense of humor.
You saw the chance and took it :)
I have never saw something explained like this! Great job sir! I am your fan already.
Thank you sooooooooooooooooooooooooo much. You earned one more subscriber. You made my concept crystal clear 🙂
Very clear and thorough explanation of the topic. Thanks for taking the time to teach this!
Thanks Darryl
Have seen many videos on JWT. but now I got good understanding on JWT. Thank you.
No doubt, it is a great tutorial to learn JWT and flow of JWT based APIs. Thank you very much.
Thanks Adeel
Very nicely explained. Clear, simple understandable format. Thank you very much!
Thank you.
Best explanation of JWT concept so far
This video gives very clear understanding of JWT. Thank you sir for making such a wonderful video !!
100000+ Incremental Likes, Excellent Explained... ee+
Great video, very informative. Thanks very much!
+Trevor Ward Thanks for the compliment.
Best JWT tutorial on youtube. However I wonder how can a client verify that the data is not tampered? As client don't know the hashing key.
The client doesn't use the data in the JWT - it's used server side and it's there that it needs to be checked against tampering. If you have a non-traditional web app, and have a client side app that uses JWT, then you'll need to find a secure way to share the secret so the client can verify the signature. The issue then being, if the secret becomes compromised, then you have lost all security.
You can use a private key to sign the signature in the server side. Public key to verify the signature on the client side.
JWT well explained. Thank you for this video.
Excellent tutorial. Thank You!!
Wonderful tutorial, beautifully structured and basics are covered in detail.
Thank you
Best video on JWT, well explained !! Thank you .
thank you
A way of teaching tech article JWT fabulous. The video is making sense on each sentence and properly understood. Keep updating us. i am awaiting for practical session with C#.
Thank you.
What you are doing is really cool. Thanks
+Teshome Alemayehu Thank you
Very well made . Crisp and sharp.
very clear explanation
Very very good explanation! After all those months :D I get it now! Thanks!
Thank you
Awesome tutorial. Thanks!
PERFECT TUTORIAL
Liked and subscribed!
Keep up the good work Sir
What if a hacker gets access to the token of one of my client. He can now do anything he wants on the client app till the token is expired. Now to save myself from this problem I can create and store a list of blacklisted tokens in db and invalidate them once I know there has been a malicious activity. But this method creates another problem. The biggest selling point of JWT is that its stateless so no need to make a DB call while passing JWT around, but to check the authenticity of the token, I now need to make a DB call.
I still do not understand how jWT is better than any traditional session storage method. If I have to maintain a list of tokens on my server then how is it any different or rather how is it more useful than any other session storage authentication mechanism?
This is the best video on the topic. Excellent work ;)
Thank you
Fantastic explanation, thanks very much.
very well explained. Thank you for taking time out and making this video .
Thank you
Thanks! Very nice explanation. You saved me a lots of time.
Thank you
Wonderful! I have no sofatwre development background but you made it so easy.
I have a question, how can the client verify if the jwt is tampered ( in step 4)? For verification it needs 'secret key' used by server, for generating signature.
Very nicely explained !!
Thank you
Does client verifies Signature? if so then client should know the password right? or Server only verifies the signature?!!
Nice and simple... great work, mate...
Thank you
Obrigado por compartilhar o conhecimento de forma muito didática!
Hi,can we modify the "username" in the payload of JWT token which is coming from the sever, where I can decode the entire JWT token along with the signature again and send back to server for info of another user??
Nice vid! Really makes sense.
Thanks Ross.
If you store the token in localstorage, does it imply you set a very long expiration time for the token? In the tutorial I did, they set the expiration time to three hours. How would that work in a real world scenario? You would be logged out almost every time you come back right?
I am trying to use jwt strategy two times with different collection for user and admin ,so that route can be protected accordingly but as soon as i use it for admin ,its showing authentication error for user..and any data of user is not visible at client side...but is stored in local memory
Very informative and well presented!!
Sir I have one Question that in JWT, we have to store the encoded data in the database table also.?
like if the username is "abc" then we have to first encode it? before storing it into the database?
Thanks in advance.
That was the best explanation in 30 mins :)
Thank you
at 14:50 shouldn't var jwt = s + "." + base64Encode(payload) + "." + base64Encode(signature) ?
Awesome, very infromative video on JWT
+Kempanna Mudalagi Thank you
Why we use JWT means token when already we have authentication mechanism ?
Very well explained
Thanks Alex
Excellently explained!
very nice. but very slow. but it helped me understand JWT. Thank you so much.
Awesome presentation. Thankyou
Thanks! You saved me a lots of time.
Thank you
very well explained. Thank You.
During subsequent requests does server need to verify if its coming from the right host/client?
At Step 4, how can a client verify the JWT token if it is tampered or not?
I have stored some logged in user values in the token when the user edits it i want refresh the token is there any way ?
What is the strongest and most secure web authentication that works in plain HTTP ( NOT https ) ?
so what if we do want to encrypt something, what would you suggest for this? jwe?
Hi,
When the credentials are passed to the server, what 'secret' will be used by the server to create a token? Will this be shared with the client ?
Thanks.
Around 19:00, you say that the client can verify the token, but I don't think that is possible, since only the server will have the secret key which is necessary to do this. Am I missing something?
It is possible using private key and public keys as part of implementation
That was a fundamental part of this and you missed it! Even your reply doesnt explain it. Because of this I had to give a thumbs down because no developer will ever use JWT without understanding this part.
Great tutorial
Nice Video and Nice explain
Thanks Kiran
Thank you. Its very informative video.
Thank you..
Thanks a lot, very informative
Awesome content!
thank you sir it's really helps me a lot
really well explained, so good thank you
+ComicBookGuy Henderson Thank you
Thanks for sharing your knowledge.
Thank you
very helpful!! just one question, what if someone steels the JWT and pretends to be the issuer and everything
good job, very well explained.
+Johnny Horvi Thank you
The best of the best!
Thank you
Can’t we decode the signature itself? How to save signature so that it is not decode by any man in middle?
Nothing but thank you !
Excellent man.. Great video ..
I appreciate this, thanks!
great introduction to JWT.
+Muhammad Saqib Thank you
Nice and simple explanation. ;)
how about if someone (eavesdropper) have access your token and send to server? he can access everything?
I have the same question, or JWT is just for so that somebody can't temper the information?
best video on JWT !!!! :)
Great video, thanks mate!
+Aistis Jokubauskas Thank you
Excelent explanation.
Excellent overview. One question is how is the secret key passed to the server in your example to verify the hash? Also will be good to mention you don’t need to do JWT level encryption yourself you can let network handle it by using TLS. Also helps against replay. If you can advise if JWT should be stored in local storage or as a cookie will be beneficial as well in terms of XSS or CSRF.
I am facing some issues with qliksense jwt configurarion.Can anyone assist me on this?
17:09 how do you secure the password when sending it to the service? Any mechanism when it comes to REST?
Regardless of REST, encrypt the client/server communication channel using https
Great tutorial. one question. Anyone can take the JWT and give a request to the server with the token. Is there any server verification on the request is coming from proper client?
I don't think there is a way to confirm that the request from a client comes from a 'proper' client. And I think that is very much what JWT is about. It is stateless.
In what kind of usecase would this be a problem?
Nice Tutorial. I have a question.
After persisting the JWT at client side let say in browsers local storage, If any one get that token then he can access the resource by sending token in header. Is there any way we can prevent it.
You can add a function like this:
private static function Aud() {
$aud = '';
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$aud = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$aud = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$aud = $_SERVER['REMOTE_ADDR'];
}
$aud .= @$_SERVER['HTTP_USER_AGENT'];
$aud .= gethostname();
return sha1($aud);
}
When you generate the Token, you can add the result of this function as part of the payload.
Then when you receive back the TOKEN and you need to check it, you can compare decoded "$aud" with current $aud
This solution "reduce the possibility" of re-using your token if someone stole it, since it looks for your ip and browser information
How can we protect token from being stolen? and how a server creates token for clients?
What kind of information can a payload contain? I assume putting username and password would be a silly thing to do?
password would certainly be silly...
Unique id probably?
It is very long, but very good tutorial.
Thanks for the comment Brian. There have been some repetitions in the video (from the feedback received from readers). We tried to reduce repetitions drastically in recent videos. But, still unable to manage the duration of videos :(
nice presentation, thanks
First - good job explaining and I liked the demo too putting it into perspective.
Feedback; around 12mins you say the contents cannot be modified without invalidating the token. But you don't say why until 3 mins later when you explain the signature. I think it would be more helpful to at least mention the hash is made different if you change payload during the 12 mins section.
Now some questions;
1) You mention the client is optional to verify the token. How can the client do this verification since it does not know the secret? This becomes obvious from the demo actually.
2) The token can be persisted. OK, so if I am a hacker, what is to stop me simply copying the token? Let's imagine that you logged into a web page, receive the token - if hacker copies the token now, he can use the website as if he is you, correct?
very useful.. thank you.
Thank you
awesome, It would be great if u create angular 2/4 tutorials and a video how to use JWT with Angular 2/4
Great Explaination. I have a simple question ? what if JWT token would be stolen or hijacked ?
great tutorial. thanks!
thank you
excellent presentation.
Thank you
very nice video
Thank you.
excellent explanation.
Thank you
thanks for your effort !
Thank you
Nice. Miss only the "refresh" part and considerations regarding the problems revoking token (blacklist and other strategies)
well in order to revoke you must store it somewhere in the backend (redis, mongoDB, levelDB) which defeats the stateless nature of JWTs. Instead you could increase the security some other way like the module below which authenticates tokens based on IP address. Check out the link for more information.
www.npmjs.com/package/express-jwt-ip
Thank you!!!