Secure APIs with FastAPI and the Microsoft Identity Platform Transcripts
Chapter: JSON Web Token (JWT) Authentication
Lecture: Benefits of JWT authentication
0:00 Authenticating a user requires the verification of the user's identity. That additional cookies based authentication method.
0:06 Makes use of http cookies to authenticate client request and store session information on the server Typically the following procedure is used.
0:15 A client also called, the user agent sends a login request to the server on
0:19 successful login. The server stores the session information in memory or persistent storage and it sends an http response that includes an http cookie.
0:28 Also called a browser cookie or web cookie in the set cookie header. A cookie is a string of data with name value pairs.
0:35 As it's only required attributes. The cookie is tied with the session stored on the
0:40 server and may include additional attributes for the duration of the cookie, such as how long the cookie is valid for or an expiration date.
0:48 The cookie gets set in the client browser and for authentication. The client sends the cookie in the cookie header on its subsequent request.
0:56 Then the server the serialize is the cookie to authenticate the user and the user remains
1:01 signed in as long as cookies are stored in the browser and are valid. User specific cookie related settings can also be said in the browser by default.
1:10 Most browsers expired cookie which represents a client current session. When the client shuts down the browser session,
1:16 cookies based authentication has several disabilities. The session information has to be stored on the server cookies need to be sent with
1:24 every request which could reduce performance especially for mobile apps. Cookies are for a specific server
1:29 The main path cross origin resource setting or course http headers must be used to
1:36 allow a browser to access origins such as the main scheme port other than the server zone and it is also extremely vulnerable to cross site request,
1:45 forgery CSRF attacks. So what is the solution? Json web tokens which is an open Json based standard And if you want to look
1:54 at the RFC then that's RFC 7519. It is designed for security transmitting information between parties.
2:01 JWT or sometimes pronounced jwt is secure as it can be digitally signed using a secret
2:08 with one of the supported algorithms or a public private key using RSA. In addition to secure information exchange,
2:16 JWT can also be used for authentication. The following procedure is typically used for JWT based authentication.
2:24 So the user logs in successfully using their credentials, user name and password or could also be Fido or can also be biometrics.
2:31 The server then creates a JWT and signs it with a secret. The JWT or the signature is not stored on the server at all.
2:39 The signature is created from the accorded header and the encoded payload of the JWT along with the secret and an algorithm.
2:46 The JWT then is sent back to the user. The user must store the JWT securely.
2:52 JWT is typically not stored in the browser which would involve the same sea surf issues
2:58 as cookies do. Then the user includes the JWT token in the authorization header when
3:04 accessing a security source. The server then has to verify the JWT signature as the signature is based on the information in the JWT itself.
3:13 The JWT is self contained and no JWT related information is stored on the server. And if the JWT validation is successful,
3:21 the server allows the user access to the requested resource.
3:24 JWT based authentication has several benefits as compared to the cookies based authentication including but are
3:31 not limited to stateless authentication. No user session information is stored on the server,
3:36 which is great. It's not limited to specific the main paths or servers so therefore
3:40 you don't suffer from the same cross origin resource sharing issues that cookies have. Json based. JWT is more compact as compared to Xml based SAML,
3:50 which stands for security assertion markup language pronounced SAML. SAML is used for information exchange and it's typically used in cookies.
3:59 Json is more commonly used on the internet for information exchange than xmls So libraries are more apt to working with Json.
4:07 And finally, JWT can also include user permissions for specific resources using authentication and authorization
4:13 platforms such as AUTH0, Azure Active Directory and so on and so on.
4:18 Therefore, JWT's can also be used for authorization in addition to authentication and that's
4:23 how we have ID tokens for authentication and access tokens for authorization with that information
4:29 mind in the next module. We'll look in depth on how JWT's are structured and how they work.