Presentation is loading. Please wait.

Presentation is loading. Please wait.

BY: SHIVI AGRAWAL ( ) CSE-(6)C

Published byLeonard Richards Modified over 5 years ago

Similar presentations

Presentation on theme: "BY: SHIVI AGRAWAL ( ) CSE-(6)C"— Presentation transcript:

1 BY: SHIVI AGRAWAL (1403210197) CSE-(6)C
JSON WEB TOKEN(JWT) BY: SHIVI AGRAWAL ( ) CSE-(6)C

2 CONTENTS Introduction Cookie Based Authentication
Token Based Authentication JSON Web Token When to use JWT? JWT Structure How JWT works? JWT v/s other methods Cons Refrences

3 INTRODUCTION Authentication Ways to authenticate
(i). Cookie based (Stateful Authentication) (ii). Token based (Stateless Authentication)

4 Cookie Based Authentication
Stateful : An authentication record or session must be maintained. The server needs to keep track of active sessions in a database. Every request is accompanied by a cookie. Whenever the user makes a request, the server validates the cookie and session Id. Basic flow using cookie authentication:

5

6 Procedure User enters their login credentials.
Server verifies the credentials are correct and creates a session which is then stored in a database. A cookie with the session ID is placed in the users browser. On further requests, the session ID is verified against the database and if valid, the request processed. Once a user logs out of the app, the session is destroyed both client and server side.

7 Features Stateful Coupling with web framework
Cross Origin Request Sharing(CORS) No data storage Performance

8 Token Based Authentication
Stateless:  The server does not keep a record of which users are logged in . Instead, every request to the server is accompanied by a token which the server uses to verify the authenticity of the request. Basic Flow of token based authentication:

9

10 Procedure User enters their login credentials.
Server verifies the credentials are correct and returns a signed token. This token is stored client-side, most commonly in local storage. Subsequent requests to the server include this token as an additional Authorization header. The server decodes the JWT and if the token is valid processes the request Once a user logs out, the token is destroyed client-side.

11 Features Stateless CORS / Cross-Domain Data Storage Performance
Compact and Self Contained Easy implementation on Mobile Hence, Token based authentication is better than Cookie based authentication.

12 JSON Web Tokens JSON Web Token (JWT) is a compact, open standard means of representing claims to be transferred between two parties. These are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed. In layman’s language, JSON Web Token(JWT) is a self-verified encoded string that is used in Modern Web/Mobile app for both Authentication and Authorization. The fact that it is stateless removes the maintenance efforts that we need for other Authentication and Authorization tools. It is used as a replacement to cookies, or rather improvement over cookies. Compact and Self Contained. Used by Node.js, Ruby, python etc.

13 When to use JWT? Authentication : Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. It’s a feature that widely because of its small overhead and its ability to be easily used across different domains. Information Exchange:  JSON Web Tokens are a good way of securely transmitting information between parties, because as they can be signed, for example using public/private key pairs, you can be sure that the senders are who they say they are. You can also verify that the content hasn't been tampered. (using header and payload)

14 JWT Structure JWT Tokens consists of three parts appended by a (dot).
Header: type of token, hash algorithm Payload: claims (public, private and reserved) Signature

15 HEADER

16 PAYLOAD Common claims are: Issuer (iss) Subject (sub) Audience (aud)
Expiration time (exp) Not before (nbf) Issued at (iat) JWT ID (jti)

17

18 SIGNATURE

19 OUTPUT (JWT)

20 How JWT works? At step 3, Whenever the user wants to access a protected route, it should send the JWT, typically in the Authorization header using the Bearer schema. Therefore, the content of the header should look like the following: Authorisation: Bearer<Token>

21

22 JWT v/s Other Token Methods
Better than Simple Web Token(SWT) and SAML(Simple Assertion Markup Language). Less verbose. Security Common parser jwt.io samltool.io

23 Cons of JWT Data Overhead.
Security of whole platform will be compromised if the secret key is leaked.

24 REFRENCES https://jwt.io

25 Your Queries Please !

26 Thank you!

Download ppt "BY: SHIVI AGRAWAL ( ) CSE-(6)C"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.

PIS: Unit III Digital Signature & Authentication Sanjay Rawat PIS Unit 3 Digital Sign Auth Sanjay Rawat1 Based on the slides of Lawrie.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Similar presentations

Ads by Google