Название: Breaking down JSON Web Tokens : From pros and cons to building and revoking Автор: The FusionAuth Team Издательство: Leanpub Год: 2022-02-25 Язык: английский Формат: pdf (true), mobi, epub Размер: 10.1 MB
JSON Web Tokens, or JWTs, are a powerful tool to encapsulate information in an integrity preserving fashion. This technology is widely deployed and supported, and can help you build scalable, secure systems.
JSON Web Tokens, or JWTs, are self-contained, portable, stateless tokens that are often issued by identity providers or otherwise used to safely transmit state between different parts of a system.
This book will dive deep into various aspects of JWTs, from creation to revocation. You'll also learn about all the pieces of a JWT and how you can validate them, should you be building an API or microservice that is presented with one.
First things first. JSON Web Tokens, or JWTs, are pronounced ‘jot’, not J-W-T. There are two kinds of JWTs: signed and encrypted. Signed JWTs allow you to cryptographically verify the integrity of the JWT. That means you can be assured the contents are unchanged from when the signer created it. However, signed JWTs do not protect the data carried from being seen; anyone who possesses a JWT can see its content. You don’t want to put anything in a JWT that should be a secret or that might leak information.
Encrypted JWTs, on the other hand, have a payload that cannot be read by those who do not possess the decryption key. If you have a payload that must be secret and both the creator and recipient of the JWT support it, encrypted JWTs are a good solution.
In general, signed JWTs are far more common. Unless otherwise noted, if this book uses the term JWT, it refers to a signed JWT. JWTs are often used as stateless, portable tokens of identity. This usage will be the focus of this book, but what does that actually mean?
- They are stateless because the integrity of the information can be determined without contacting any remote service or server. The aforementioned signature allows a consumer of a JWT to verify the integrity without any network access. - They are portable because, even though they contain characters such as { that are typically not acceptable in certain contexts, JWTs use base64 URL encoding. This encoding ensures that the contents are safe for HTTP headers, cookies, and form parameters. - Because of the flexibility of the JSON format, JWTs can encapsulate identity information, such as roles and user identifiers.
The combination of these attributes mean that JWTs are great for transporting identity information to different services. One service may authenticate the user and create a JWT for the client, and then other services, which offer different functionality and data depending on who the user is, can consume that JWT. This works especially well for APIs and microservices, which have minimal information about the user in their datastore. This is why many auth servers, also known as identity providers, issue JWTs.
Скачать Breaking down JSON Web Tokens : From pros and cons to building and revoking
Внимание
Уважаемый посетитель, Вы зашли на сайт как незарегистрированный пользователь.
Мы рекомендуем Вам зарегистрироваться либо войти на сайт под своим именем.
Информация
Посетители, находящиеся в группе Гости, не могут оставлять комментарии к данной публикации.