Micro Services Classroom Series – 01/Dec/2021

Json Web Tokens (JWT) continued

  • When the client sends the request for authentication, server will generate the data as json and digitally signs it and sends back to the client
  • Now for the client to prove that he is authenticated, he needs to send this digitally signed in the next requests for authorization.
  • When server recieves the request it will verify the signature first and if this valid it allows the user to access or else fails the request
  • So, we would called JSON web token as a value token and Session token as a reference token
  • JWT are open industry standard RFC 7519 Refer Here method for representing claims securely between two parites
  • Structure of JWT:
    hhhhhhhhhhhhhhhhhhhhhhhh.ppppppppppppppppppppppppppppppp.sssssssssssssssssssssssssssss
    
    • In the above the
      • h represents the base 64 enoded header
      • p represents the base 64 encoded payload
      • s represents the signature Preview
    • Header:
      • Identifies the algorithm used to generate a signature Preview
      • H256 indicates that the token is signed using HMAC-SHA256
    • Payload:
      • Contains the data. Preview
      • JWT Specification there are standard fields Preview
    • Signature: Securely validate the token. Preview
  • Workflow: Preview
  • Problems with JWT
    • JWT is a value token & From JWT the header and payload can be decoded, so ensure there is no confidential information in JWT
    • The other cannot tamper the JWT, what if someone steals my JWT and uses it themselves
      • Server just verifies if JWT is correct & doesn’t know who sent it
      • One way of solving this problem is OAuth
    • How do you disable a JWT? => BlackList Preview

Authentication Services and Security with Json Web Tokens

  • We will try to implement the functionality of Authentication and Security in four parts

    • Authenticating the user and allowing them to login
    • Recipe Sharing system and allowing users to publish or unpublish their recipes
    • Refresh our security token and implement the logout feature
    • We will try to understand how to blacklist JWTs
  • Before we dive into using the package discussed below we need two very important key configurations

    • SECRET_KEY: This is the key used for generating a signature
    • JWT_ERROR_MESSAGE_KEY: This is teh key for the error message whenever there is error. The default value for this msg, but we will set to message here
  • To implement JWT in flask we need a package Flask-JWT-Extentded

  • Flask-JWT-Extentded:

    • Refer Here for the official docs
    • To use the library we need to create an object of JWTManager and register in app.py
    • Refer Here for the changes done to get started with JWT

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin