Introduction
Hello folks...๐
In this blog, we would cover Authorization in JWT style.
Before we move ahead, let me make you clear what does authentication and authorization means...
Authentication
Authentication is a process used to prove a user's identity to the system. Usually, a user provides their credentials in order to gain access to their account.
Authorization
Authorization is a way to grant access to resources to the users depending upon the role of the user.
Once the user is authenticated, they are been then authorized to perform certain actions or access some resources.
And here JWT is one of the usual ways to authorize a user.
JWT๐
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
In this, once the user is logged in, each subsequent request carries a JWT, allowing the user to access routes, services, and resources that are permitted with that token.
It also has the feature of Single Sign-On i.e, the user is given access to the web app for a certain time period, and in that period user do not have to sign in again to get access to the application until the web token is attached to the request is not expired.
Now as we have a brief understanding of JWT, we can move ahead with the installation part
Installation
Install the NPM package
$ npm install jsonwebtoken
Token generation
we would use the following syntax to generate JWT
SYNTAX:-
jwt.sign(payload, secretOrPrivateKey, [options, callback])
Payload could be an object literal, buffer, or string representing valid JSON.
secretOrPrivateKey is a string, buffer, or object containing either the secret for HMAC algorithms or the PEM encoded private key for RSA and ECDSA algorithms
options can have the attributes of algorithm, expiresIn, notBeforeaudience, issuer, jwtid, subject, noTimestamp, header, keyid, mutatePayload
The token generation is asynchronous if the callback is supplied, which either returns error or the JWT.
If the callback is not supplied it returns the JWTas a string synchronous way
Synchronous Sign with default (HMAC SHA256)
var jwt = require('jsonwebtoken');
var token = jwt.sign({ foo: 'bar' }, 'shhhhh');
Asynchronous sign
jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256' }, function(err, token) {
console.log(token);
});
Now, this generated token is attached to the requests.
Token verification
To verify the generated token, we would use the following syntax
SYNTAX:-
jwt.verify(token, secretOrPublicKey, [options, callback])
If a callback is supplied, the function acts asynchronously. The callback is called with the decoded payload if the signature is valid and optional expiration, audience, or issuer are valid. If not, it will be called with the error.
If a callback is not supplied, the function acts synchronously. Returns the payload decoded if the signature is valid and optional expiration, audience, or issuer are valid. If not, it will throw the error.
token is the JsonWebToken string
secretOrPublicKey is a string or buffer containing either the secret for HMAC algorithms or the PEM encoded public key for RSA and ECDSA. If jwt.verify is called asynchronous, secretOrPublicKey can be a function that should fetch the secret or public key. See below for a detailed example
options can have the attributes of algorithms,
audience, complete, issuer (optional), ignoreExpiration, ignoreNotBefore subject, clockTolerance, clockTimestamp, nonce
The access is granted to the user only when the token is verified
Resources
If you want to learn more about JWT go through the following resources
- auth0.com/intro-to-iam/what-is-authentication
- auth0.com/intro-to-iam/what-is-authorization
- npmjs.com/package/jsonwebtoken#install
And by this, we come to the end of our blog. Thanks for taking out the time to read this blog. Feel free to share your opinion on this blog in the comments section.