What is JWT ? and Why should we use JWT ?
JWT stands for json wen token , JWT we use for authorization not for authentication .
What is Authentication ?
With authentication we take the username and password from the user and checks the username and password both are correct that process we called it authentication.
What is Authorization ?
Authorization means checking the user sends the http request to the server is the same user that logged in during the authentication process.
The way it normally happens , user sends the username and password in the server for login , in the server we check the credential it correct we store the user data in the session in database and send the sessionID as cookie to the browser. When the user sends a request with session cookie we verify the session and get the user and send back the response the browser or client.
But in case of JWT(json web token), user sends the username and password in the server for login , in the server we check the credential it correct we create a json web token using the user data and secret and send back to the client , when user sends the request with the json web token we simply verify the token is valid or not , if valid we get the user from the token and process the request and sends the response to the client.
If someone whats to change or modify any data in the token then server will consider it as an invalid token since we use secret digital signature while creating the Json web token.
In case for session we the information in the server database but in case of JWT we don't store any data in the server database.
Collected from : https://jwt.io/
On the left hand side
We have the token and the token is having 3 parts ,
- eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 - red part stores the header information.
- eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ - part contains the payload information.
- SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c - part is contain the verify signature.
On the right hand side
Header section : this section contains the information or metadata which of the algorithm used for the token and the type of the token.
Payload section : this section contains the user information that we have set in the token payload while creating the token.
Verify Signature : this section contains the information of the token signature , This jwt token is very secure because if you see in the verify signature section
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload),
It's encoding the the header data and the payload data and the secret and then its hashing it with
HMACSHA256 . So if in the client if you change the payload data and try to send the request in the server that data will not match with the data encoded and stored in the signature , and that token will get consider as invalid token.
Why should we use JWT ?
Example : The requirement if you have done the authentication in the
Server 1 then you don't need authentication to have access of
Server 2 .
Using Session :
Since both the servers are having their own database , and if the user does the authentication in
server 1 so the session will get store in the database of
server 1 , so the cookie which the user has got from the server 1 that will not work in
server 2 because the session in not stored in the database of
server 2, so with this approach we can not fulfilment the above requirement .
Using JWT :
Once the user does the authentication in
server 1 , the
server 1 will not store anything in the database of it , it will send json web token to the user which itself contains the user information and protected with secret, So User can use the same Json Web Token to access the
server 2 .When user will send any request with the same token to the
server 2 in
server 2 will verify the token is valid or not if valid then
server 2 will collect the user information and consider the user is authorized and process the request and send the response to the client .
Note : Both the servers should have same Secret key .
For this kind of scenario JWt is very helpful to use .
I hope this article is helpful for you , i am very glad to help you thanks for reading