JWT Authentication - What Is It and How Do You Use It With Amplication?

Wadi — Tue, 20 Dec 2022 11:22:40 +0000

JSON Web Token (JWT) is now supported by Amplication, the open source platform for Node.js app development.

This article gives you an overview of how JWT works and how you can use it in your Amplication-generated app.

What is JWT?

JWT is an open standard security token that transmits information securely as a JSON object, useful for authorization and information exchange. It contains all essential information about an entity, meaning that no database queries are necessary, and the session doesn’t need to be saved on the server. You can sign the token using a private secret or a public/private key. Its short messages can be encrypted and securely convey the identity of the sender and whether they have the necessary access rights.

Note: Most programming languages have a library for generating JWT, so you don’t have to do it manually.

JWT structure

JWT contains three parts: Header, Payload, and Signature as described in the following sections.

Header

The header provides information about the type of token and the signing/encryption algorithm being used.

The header typically consists of two parts:

alg - the signing algorithm used, such as HMAC SHA256 or RSA
typ - the type of token (which is JWT)

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three classes of claim names; Registered, Public, and Private.

Registered claims

Registered claims are defined by the JWT specification. JWT defines a set of seven reserved claims that are not obligatory, but it is recommended that you use them to allow interoperability with third-party applications.

Note: Public claims and private claims are both considered custom claims, created to share information between parties that agree to use them.

Public claims

You can define public claims however you want, but to avoid collisions they should be defined in the IANA JSON Web Token Registry.

Private claims

You can create private claims to share information specific to your application. Unlike public claims, private claims might collide as they are not registered, so use them with care. Private claims should not share names with registered or public claims.

The following example includes a private claim loggedInAs, and a registered claim iat.

{
  "loggedInAs": "admin",
  "iat": 1422779638
}

Signature

The signature is used to verify that the message wasn’t changed in transit. If the token is signed with a private key, it can also verify the identity of the sender. To create the signature part, sign the encoded header, the encoded payload, a secret, and the algorithm specified in the header. The following example uses the HMAC SHA256 algorithm:

HMAC_SHA256(
  secret,
  base64urlEncoding(header) + '.' +
  base64urlEncoding(payload)
)

JWT workflow

Users have only indirect contact with the token, for example, when they enter usernames and passwords. The actual communication takes place between the client and the server.

Before using JWT, you must define a secret key. As soon as a user has successfully entered their login information, the JWT will be returned with the key and saved locally. This transfer should take place over HTTPS to ensure that the data is protected. These steps are described as follows:

The user logs in to the client using a username and password.

The server checks if the hashed password is the same as the hashed password stored in the database for this user.

If the hashed passwords are the same, the JWT service in the server stores the data in the JWT payload section and signs it.

The server sends the signed JWT to the client, and the client saves it locally.

The next time the user sends a request for data, the client sends the token to the server in the authorization header of the HTTP request using the Bearer scheme.

What is a bearer token?

Bearer authentication is an HTTP authentication scheme using Bearer tokens, so-named because it gives access to the bearer of the token. The Bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources. After a user has been authenticated, the application validates the user’s Bearer token.

You must provide the token using Header, Body, or Query.

This example shows you how to set the value of the authorization header as Bearer:

Authorization : Bearer cn389ncoiwuencr

If you want to send the token in the body or as a query, add access_token to your required option, for example:

{
  "access_token": "eyJhb...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Selecting JWT as the authentication method in Amplication

Support for JWT is built-in to Amplication.

To select JWT authorization for your Amplication app, go to your project dashboard, select Auth Settings and choose JWT from the dropdown list.