登录查看更多内容

How does OAuth use JWTs to authenticate users?

由人工智能和领英社区提供技术支持

If you use web or mobile applications that require you to log in with a third-party service, such as Google, Facebook, or GitHub, you are probably familiar with OAuth. OAuth is an open standard for authorization that allows users to grant access to their online resources without sharing their passwords. But how does OAuth use JWTs to authenticate users? In this article, you will learn about the role of JWTs in OAuth and how they work.

此文章中的业界达人

由社区从 5 条内容中精选。了解更多

1 What is a JWT?

A JWT, or JSON Web Token, is a compact and secure way of transmitting information between two parties as a JSON object. A JWT consists of three parts: a header, a payload, and a signature. The header contains metadata about the token, such as the algorithm used to sign it. The payload contains the claims, or the data that the token carries, such as the user's identity, roles, or permissions. The signature is the result of applying a cryptographic algorithm to the header and the payload, using a secret key or a public/private key pair. The signature ensures that the token has not been tampered with or forged.

添加您的观点

Adil Rathore

ServiceNow CSDM, ServiceNow Architect and Technical Trainer | CIS - ITSM, Discovery, Service Mapping, Event Management, SAM | Agile and IT4IT Advocate
举报内容
A JWT is a digital key made up of numbers and letters. It is like a secret code that a computer understands. When you log into a website, instead of entering your username and password every time you want to access a new page, the website gives you this digital key after you successfully log in. This digital key, that is JWT, is then sent back to the website every time you click on a new page or do something on the site. The website checks this key to make sure it’s valid and that you are who you say you are.

已翻译

赞
Manoj Kuppam

Keeping Systems Scalable, Reliable and Resilient - Award Winning Head of SRE | Speaker | IEEE SM | Community Champ Coach FISD | Mentor | Judge
举报内容
It is the open standard that defines a compact and self-contained way of securely transmitting information between parties as a json object. It has a header, payload and signature.

已翻译

赞

2 How does OAuth use JWTs?

OAuth uses JWTs in two ways: as access tokens and as ID tokens. An access token is a token that the user's application (the client) obtains from the authorization server (the service that grants access) after the user has authenticated and authorized the client. The client can then use the access token to access the user's resources on the resource server (the service that hosts the resources). An access token can be a JWT or another format, depending on the OAuth flow and the authorization server's implementation. A JWT access token has the advantage of being self-contained, meaning that it does not require the resource server to contact the authorization server to validate it.

An ID token is a token that the authorization server issues to the client along with the access token, in some OAuth flows, such as the OpenID Connect flow. An ID token is always a JWT and contains information about the user's authentication, such as the user's identifier, the issuer of the token, the audience of the token, and the expiration time of the token. The client can use the ID token to verify the user's identity and obtain additional user attributes.

添加您的观点

Christian Zacarias

Lead Infrastructure Architect | Global IT Solutions | Azure & Cloud Expert
举报内容
Access tokens are used by the client application to access protected resources on behalf of the user. The access token contains claims about the user, such as their identifier, the scope of the token, and the expiration time of the token. ID tokens are used to provide information about the user to the client application. The ID token contains claims about the user, such as their identifier, their name, and their email address. When a user authenticates with an OAuth provider, the provider will issue an access token and an ID token to the client application. The client application can then use the access token to access protected resources on behalf of the user, and it can use the ID token to learn more about the user.

已翻译

赞

3 How are JWTs validated?

To validate a JWT, the recipient of the token needs to do three steps: decode, verify, and trust. Decoding means parsing the token into its three parts and decoding them from base64 to JSON. Verifying means checking that the signature matches the header and the payload, using the appropriate algorithm and key. Trusting means checking that the claims in the payload are valid and relevant, such as the issuer, the audience, the expiration time, and the scope of the token. The recipient should also check for any custom claims that are specific to the application or the service.

添加您的观点

4 How are JWTs secured?

JWTs are secured by using cryptographic algorithms and keys to sign them. There are two types of algorithms: symmetric and asymmetric. Symmetric algorithms use the same secret key to sign and verify the token, such as HMAC-SHA256. Asymmetric algorithms use a public/private key pair, where the issuer signs the token with the private key and the recipient verifies it with the public key, such as RSA or ECDSA. Symmetric algorithms are faster and simpler, but require the issuer and the recipient to share the same secret key, which can be risky. Asymmetric algorithms are more secure and scalable, but require the issuer and the recipient to exchange and manage the public keys, which can be complex.

添加您的观点

Manoj Kuppam

Keeping Systems Scalable, Reliable and Resilient - Award Winning Head of SRE | Speaker | IEEE SM | Community Champ Coach FISD | Mentor | Judge
举报内容
JWTs are signed using HS256 (HMAC with SHA256) using a secret key or RS256 (RSA with SHA 256) using a public/private key pair.

已翻译

赞

5 What are the benefits and drawbacks of JWTs?

JWTs have some advantages and disadvantages as a format for OAuth tokens. For instance, they are self-contained, compact, and standardized. This means they can carry all the necessary information to authorize and identify the user without requiring database queries or network calls, fit into HTTP headers, query parameters, or cookies without exceeding size limits or affecting performance, and are supported by many libraries, frameworks, and platforms, allowing them to interoperate with different services and applications. On the other hand, JWTs cannot be revoked once issued unless they expire or are blacklisted; they can be stolen or leaked and used by malicious parties to impersonate or access the user's resources; and they are not human-readable or easily inspectable unless decoded and verified.

添加您的观点

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Deepa Ajish

Vice President | ServiceNow Transformation & Automation Leader | Security & Compliance | IT Security Strategist | Judge | Coach | Mentor
举报内容
A use case scenario- ServiceNow uses this as part of Microsoft Sharepoint Online spoke. Start with configuring OAuth application in Azure for authentication. You need to load JKS certificate and configure JWT signing key in Servicenow for the connection to work.

已翻译

赞

IT Operations

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How does OAuth use JWTs to authenticate users?

1

2

3

4

5

6

1 What is a JWT?

2 How does OAuth use JWTs?

3 How are JWTs validated?

4 How are JWTs secured?

5 What are the benefits and drawbacks of JWTs?

6 Here’s what else to consider

IT Operations

给文章评分

感谢您的反馈

更多IT Operations相关文章

更多相关阅读内容

How does OAuth use JWTs to authenticate users?

1

2

3

4

5

6

1 What is a JWT?

2 How does OAuth use JWTs?

3 How are JWTs validated?

4 How are JWTs secured?

5 What are the benefits and drawbacks of JWTs?

6 Here’s what else to consider

IT Operations

给文章评分

感谢您的反馈

查看其他技能