19. JWT and API GOAL
1. Authorize request
2. Verify the sender
3. Avoid Man in the middle
4. Expiration
5. Requests Cloning
20. Advantages 1/3
● Cross-domain / CORS: cookies + CORS don't play well across different domains.
● Stateless (a.k.a. Server side scalability): there is no need to keep a session store,
the token is a self-contanined entity that conveys all the user information. The rest of
the state lives in cookies or local storage on the client side.
● CDN: you can serve all the assets of your app from a CDN (e.g. javascript, HTML,
images, etc.), and your server side is just the API.
21. Advantages 2/3
● Mobile ready: when you start working on a native platform cookies are not
ideal when consuming a secure API (you have to deal with cookie containers).
● CSRF: since you are not relying on cookies, you don't need to protect against
cross site requests
● Performance: we are not presenting any hard perf benchmarks here, but a
network roundtrip (e.g. finding a session on database) is likely to take more
time than calculating an HMACSHA256 to validate a token and parsing its
contents.
22. Advantages 3/3
● Functional tests, you don't need to handle any special case for login.
● Standard-based: your API could accepts a standard JSON Web
Token (JWT). This is a standard and there are multiple backend
libraries (.NET, Ruby, Java,Python, PHP) and companies backing
their infrastructure
● Decoupling: you are not tied to a particular authentication scheme.
The token might be generated anywhere, hence your API can be
called from anywhere with a single way of authenticating those calls.
JSON Web Token (JWT) is a useful standard becoming more prevalent, because it sends information that can be verified and trusted with a digital signature. In their most basic form, JWTs allow you to sign information (referred to as claims) with a signature and can be verified at a later time with a secret signing key. The spec is also designed with more advanced features that help against man-in-the-middle and replay attacks.
Why Are JWTs Important?
They handle some of the problems with information passed from a client to a server. JWT allows the server to verify the information contained in the JWT without necessarily storing state on the server. As a trend, we are seeing more and more SaaS products include JWT integrations as a feature or using JWT in their product directly. Stormpath has always followed secure best practices for JWTs, in several parts of our stack, so we want to share some best practices for using JWT the right way.
JSON Web Token (JWT) is a useful standard becoming more prevalent, because it sends information that can be verified and trusted with a digital signature. In their most basic form, JWTs allow you to sign information (referred to as claims) with a signature and can be verified at a later time with a secret signing key. The spec is also designed with more advanced features that help against man-in-the-middle and replay attacks.
Why Are JWTs Important?
They handle some of the problems with information passed from a client to a server. JWT allows the server to verify the information contained in the JWT without necessarily storing state on the server. As a trend, we are seeing more and more SaaS products include JWT integrations as a feature or using JWT in their product directly. Stormpath has always followed secure best practices for JWTs, in several parts of our stack, so we want to share some best practices for using JWT the right way.
JSON Web Token (JWT) is a useful standard becoming more prevalent, because it sends information that can be verified and trusted with a digital signature. In their most basic form, JWTs allow you to sign information (referred to as claims) with a signature and can be verified at a later time with a secret signing key. The spec is also designed with more advanced features that help against man-in-the-middle and replay attacks