Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

PHP User Authentication

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

JSON Web Tokens

1:54 with Alena Holligan and Brian Retterer

JSON Web Tokens, or JWTs, are being used heavily now for many aspects of web, and the main one is authentication. JWTs are signed tokens that can be stored to define anything.

If you want more information on JWT's, you can see the IETF RFC 7519 which lays out exactly what one is at the Internet Engineering Task Force.

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    Now, that we know where we're going to store information about our logged in 0:00
    user, and know that it can be secured using this thing called JSON Web Token, 0:04
    or JWT, pronounced jot, you may be asking what the heck it is? 0:09
    A JWT is a way to transfer and store data in a secure and URL safe way. 0:15
    A JWT contains three parts, a header, claims, and signature. 0:22
    The header contains all the cryptographic information that defines the JWT, 0:27
    an algorithm which is typically HS256. 0:31
    HS256 defines that we will be using the SHW256 algorithm for 0:36
    the encryption of the token. 0:42
    The other field is the type. 0:44
    There are a few options here, but typically we use JWT. 0:45
    The claims section which is the second part of a JWT 0:50
    contains all the information that you want to store in the JWT. 0:53
    There are two types of claims that you can put here. 0:56
    Public and private claims. 1:00
    The public claims are defined as collision safe claims, and private claims should 1:02
    be used with caution because there's no way to guaranteeing no collision. 1:07
    Typical claims you will see in a JWT are issuer, 1:12
    subject, issued at, not before, and JWT ID. 1:15
    Inside of our claim, 1:20
    we will also add some private claims to define the role in the system. 1:22
    An is_admin claim will be added as a Boolean to tell our logic if the current 1:27
    user is an administrator. 1:32
    The last section is what makes the JWT secure. 1:35
    We can sign our JWT with a private key. 1:38
    Doing so will allow us to tell if the JWT was modified 1:41
    after we created it with our key. 1:45
    For more information on how the signing of the key works, 1:47
    please look at the RFC referenced in the teacher's notes. 1:51

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up