JWT - JSON Web Token Crash Course (NodeJS & Postgres)

preview_player
Показать описание
JSON Web Token (JWT, sometimes pronounced JOT) an internet standard for creating JSON-based access tokens that assert some number of claims. The tokens are signed either using a private secret or a public/private key. 

In this video I want to discuss the difference between JWT (JSON web Tokens) and Session-Based Authentication. I will show examples with Node JS and Postgres. Finally, I’ll discuss the pros and cons of JWT.

Chapters
0:00 Intro
2:25 Session-Based Auth
9:00 JWT Based Auth
16:10 Refresh Tokens
25:17 Asymmetric JWT
28:16 Example coding
42:00 Pros and Cons

Source Code

Resources
draft-ietf-oauth-jwt-bcp-07 - JSON Web Token Best Current Practices

🏭 Software Architecture Videos

💾 Database Engineering Videos

🛰 Network Engineering Videos

🏰 Load Balancing and Proxies Videos

🐘 Postgres Videos

🚢Docker

🧮 Programming Pattern Videos

🛡 Web Security Videos

🦠 HTTP Videos

🐍 Python Videos

🔆 Javascript Videos

Support me on PayPal

Become a Patreon

Stay Awesome,
Hussein
Рекомендации по теме
Комментарии
Автор

Please do a video on OAuth 2 sometime!

aleksandrchernov
Автор

found this channel little late, and now I know there are lots of things to learn in software engineering
( knowing only CRUD operation is not enough 😂)

AbhishekKumar-mdul
Автор

Cleared difference between Session and JWT. Hope you make video on Kerberos.

Thanks,
Ratnadeep

lord
Автор

To logout immediately, I first set the refresh token to null in database and
I set the value of access token (JWT_TOKEN in your case) in cookie to empty or null from backend as res.cookie("key", "",
maxAge: 1
});
and redirect to other page
If there is a better way please tell :)

suparthghimire
Автор

Its so frustrating spending literal days trying to find decent examples of using JWT and not find anything great, and then finding out that a person I'm subscribed to had one this whole time... I hate youtubes algorithm.

Are you still considering making and example?

patrickconrad
Автор

You can avoid XSS and CSRF by storing the jwt in a secure, http only, same site cookie.
i really don't see any point of using refresh token it's just putting more complexte on both client and server

hstivggfghyhgfg
Автор

great video.. 🙏
My questions:
1. When we are going to store Refresh tokens in DB, why do we need to make them JWT tokens at all? why cant plain old GUIDs work as refresh tokens, as they used to, in case of session IDs

2. Is Logout completely a Client Side gimmick in this design?

abhinavsrivastava
Автор

For stolen refresh token, what about 1 to 1 mapping. so only one access token can be paired with a refresh token.

mr.random
Автор

I have watched plenty of jwt tuts and I can confidently say this is the best one on youtube. Great job!!

jivinvaidya
Автор

The way we implemented the logout functionality is we put the JWT's which came in for logout to a key in redis with an array of JWT's. During the validation of JWT every time before the request, we see whether the JWT is present in that redis key. If it's present, then it means that has been already logged out and we handle the request accordingly. If we want to manually make a key invalid, we can add that JWT to that redis key.

palaniappanrm
Автор

Don’t think you’re sly with those Count of Monte Cristo references. Great stuff.

ConsuelaPlaysRS
Автор

Wilson Barbara Brown Eric Thompson Michelle

TommyPhoebe-db
Автор

Using Web Sockets could avoid the latency for critical services since the JWT can be updated independent of the API request

richardmoore
Автор

Thanks Hussein for the session, and please make a session on Kerberose

nafasm
Автор

want videos on kerberos, oauth and difference btwn oauth and federated login.

vishnubalan
Автор

so, essentially, we decreased frequency of the session db hops.

sanjarcode
Автор

Ehhh...

I mean I've never used JWT so clearly my opinion of it is coloured by that, but it just seems so superfluous. First off, the concepts of J (and arguably W) are completely irrelevant, it's a signed token, and that's it.

Secondly, if you want your servers to be able to avoid hitting the databases sometimes, cache locally. Have your HAProxy in layer 7 mode, and stick clients based on the session ID cookie, and then the servers can then happily cache the rows from the session ID, and do a fetch every so often to invalidate.

The fetch can even be asynchronous, or even event driven. Have the database publish to an event stream when a session row is deleted, and have the servers subscribe to that. Every few minutes (or on the events if needed), the servers tell their local redis `DEL session_data_<session_id>`.

The only problem that could throw up is if the user somehow logs out on a different instance to what they've been stuck, and then manage to not delete their cookie as instructed, AND then provide it back to the original server that hasn't noticed they've been logged out yet, and even then all that means is they're a different user for a little bit.

Reaching for asymmetric encryption to have the users hold some data to save the servers executing a SQL query sounds a hell of a lot like job security in action, same as GraphQL.

---

E: Absolutely fantastic explanation and presentation thereof by the way. I dislike the thing you described, not your description of it.

Asdayasman
Автор

Thanks for your efforts. But i didnt find any use of refresh token. We can also achieve same functionality using only access token. Plz see below flow without refresh token
1. Login Endpoint - Generate access token with expiry 15 minute & save it to DB against corresponding user.
2. Protected Endpoint - verify access token. If expired, return message "token expired" .
3. Refresh Endpoint - Verify & regenerate access token only if it is expired & exist in DB. Replace old access token in DB with new one.

Please solve my doubts. Thanks

mannumannu
Автор

How does client knows that its Tokes is expired and he needs to send the refresh token. Or Client sent refresh token every time and server generates the new token if previous is expired validating its refresh token.

yatendramaurya
Автор

Thanks Hussein !!, i voted for this !

evans
join shbcf.ru