Secure APIs with FastAPI and the Microsoft Identity Platform Transcripts
Chapter: JSON Web Token (JWT) Authentication
Lecture: Benefits of JWT authentication
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
Authenticating a user requires the verification of the user's identity. That additional cookies based authentication method.
0:06
Makes use of http cookies to authenticate client request and store session information on the server Typically the following procedure is used.
0:15
A client also called, the user agent sends a login request to the server on
0:19
successful login. The server stores the session information in memory or persistent storage and it sends an http response that includes an http cookie.
0:28
Also called a browser cookie or web cookie in the set cookie header. A cookie is a string of data with name value pairs.
0:35
As it's only required attributes. The cookie is tied with the session stored on the
0:40
server and may include additional attributes for the duration of the cookie, such as how long the cookie is valid for or an expiration date.
0:48
The cookie gets set in the client browser and for authentication. The client sends the cookie in the cookie header on its subsequent request.
0:56
Then the server the serialize is the cookie to authenticate the user and the user remains
1:01
signed in as long as cookies are stored in the browser and are valid. User specific cookie related settings can also be said in the browser by default.
1:10
Most browsers expired cookie which represents a client current session. When the client shuts down the browser session,
1:16
cookies based authentication has several disabilities. The session information has to be stored on the server cookies need to be sent with
1:24
every request which could reduce performance especially for mobile apps. Cookies are for a specific server
1:29
The main path cross origin resource setting or course http headers must be used to
1:36
allow a browser to access origins such as the main scheme port other than the server zone and it is also extremely vulnerable to cross site request,
1:45
forgery CSRF attacks. So what is the solution? Json web tokens which is an open Json based standard And if you want to look
1:54
at the RFC then that's RFC 7519. It is designed for security transmitting information between parties.
2:01
JWT or sometimes pronounced jwt is secure as it can be digitally signed using a secret
2:08
with one of the supported algorithms or a public private key using RSA. In addition to secure information exchange,
2:16
JWT can also be used for authentication. The following procedure is typically used for JWT based authentication.
2:24
So the user logs in successfully using their credentials, user name and password or could also be Fido or can also be biometrics.
2:31
The server then creates a JWT and signs it with a secret. The JWT or the signature is not stored on the server at all.
2:39
The signature is created from the accorded header and the encoded payload of the JWT along with the secret and an algorithm.
2:46
The JWT then is sent back to the user. The user must store the JWT securely.
2:52
JWT is typically not stored in the browser which would involve the same sea surf issues
2:58
as cookies do. Then the user includes the JWT token in the authorization header when
3:04
accessing a security source. The server then has to verify the JWT signature as the signature is based on the information in the JWT itself.
3:13
The JWT is self contained and no JWT related information is stored on the server. And if the JWT validation is successful,
3:21
the server allows the user access to the requested resource.
3:24
JWT based authentication has several benefits as compared to the cookies based authentication including but are
3:31
not limited to stateless authentication. No user session information is stored on the server,
3:36
which is great. It's not limited to specific the main paths or servers so therefore
3:40
you don't suffer from the same cross origin resource sharing issues that cookies have. Json based. JWT is more compact as compared to Xml based SAML,
3:50
which stands for security assertion markup language pronounced SAML. SAML is used for information exchange and it's typically used in cookies.
3:59
Json is more commonly used on the internet for information exchange than xmls So libraries are more apt to working with Json.
4:07
And finally, JWT can also include user permissions for specific resources using authentication and authorization
4:13
platforms such as AUTH0, Azure Active Directory and so on and so on.
4:18
Therefore, JWT's can also be used for authorization in addition to authentication and that's
4:23
how we have ID tokens for authentication and access tokens for authorization with that information
4:29
mind in the next module. We'll look in depth on how JWT's are structured and how they work.