1 00:00:00,000 --> 00:00:01,050 Instructor: So again, 2 00:00:01,050 --> 00:00:03,480 here is the OAuth2 Flow we discussed. 3 00:00:03,480 --> 00:00:04,650 We see the redirection, 4 00:00:04,650 --> 00:00:06,958 we see the permission granting, 5 00:00:06,958 --> 00:00:10,500 and we see the access token. 6 00:00:10,500 --> 00:00:12,720 So remember the access token is 7 00:00:12,720 --> 00:00:16,094 a token returned by the authorization server. 8 00:00:16,094 --> 00:00:20,790 And that the client app is sending to the resource server. 9 00:00:20,790 --> 00:00:23,250 In order for the user to be identified. 10 00:00:23,250 --> 00:00:25,863 So what exactly is this access token? 11 00:00:27,510 --> 00:00:30,120 So with OAuth2 protocol, 12 00:00:30,120 --> 00:00:34,023 the access token is something called JWT. 13 00:00:35,100 --> 00:00:37,140 So what is exactly JWT? 14 00:00:37,140 --> 00:00:38,520 JWT is an acronym. 15 00:00:38,520 --> 00:00:41,940 Stands for JSON Web Token. 16 00:00:41,940 --> 00:00:44,940 And its a small string containing the data 17 00:00:44,940 --> 00:00:49,230 the server needs in order to authenticate the user. 18 00:00:49,230 --> 00:00:53,911 So, this token is returned by the OAut2 authorization server 19 00:00:53,911 --> 00:00:58,410 and it contains everything the API or the server needs 20 00:00:58,410 --> 00:01:00,990 so that it will know exactly who the user is 21 00:01:00,990 --> 00:01:02,553 and what is he allowed to do. 22 00:01:03,831 --> 00:01:07,267 So, how exactly does a JWT looks like? 23 00:01:07,267 --> 00:01:10,744 So, the JWT has three sections. 24 00:01:10,744 --> 00:01:12,837 The first one is the header. 25 00:01:12,837 --> 00:01:15,210 The header contains the type of token, 26 00:01:15,210 --> 00:01:16,303 usually JWT 27 00:01:16,303 --> 00:01:21,150 and the signing algorithm used to signed the JWT. 28 00:01:21,150 --> 00:01:24,366 For example, here is the typically JWT header. 29 00:01:24,366 --> 00:01:25,529 So you see the type, 30 00:01:25,529 --> 00:01:28,530 which is in the typ field 31 00:01:28,530 --> 00:01:30,143 and it is JWT. 32 00:01:30,143 --> 00:01:32,850 And the algorithm which is in this case 33 00:01:32,850 --> 00:01:33,683 HS256. 34 00:01:34,527 --> 00:01:37,383 So this is the first section, the header. 35 00:01:38,280 --> 00:01:41,053 The second section is the Payload. 36 00:01:41,053 --> 00:01:44,630 So the Payload containing the actually data about the user, 37 00:01:44,630 --> 00:01:48,060 that the server needs in order to make a decision 38 00:01:48,060 --> 00:01:50,880 whether the user can access the resource or not. 39 00:01:50,880 --> 00:01:53,580 Now there isn't a standard format of the Payload. 40 00:01:53,580 --> 00:01:56,441 So basically you can put there whatever you want. 41 00:01:56,441 --> 00:02:01,140 And here is a typical example of how the Payload looks like. 42 00:02:01,140 --> 00:02:03,230 So you can see here the name of the user, 43 00:02:03,230 --> 00:02:04,609 in this case John Doe. 44 00:02:04,609 --> 00:02:06,240 And its role 45 00:02:06,240 --> 00:02:07,680 which is admin. 46 00:02:07,680 --> 00:02:10,893 And some more data like the sub-organization number. 47 00:02:12,150 --> 00:02:13,170 So this is a Payload 48 00:02:13,170 --> 00:02:15,780 and this is the most important part of the JWT 49 00:02:15,780 --> 00:02:18,798 again, because it contains the actual data on the user. 50 00:02:18,798 --> 00:02:21,360 That the API needs. 51 00:02:21,360 --> 00:02:24,270 The last section is the Signature. 52 00:02:24,270 --> 00:02:27,450 So the JWT is signed electronically 53 00:02:27,450 --> 00:02:30,420 so that it can't be tampered with during the transfer 54 00:02:30,420 --> 00:02:32,880 from the authorization server to the API. 55 00:02:32,880 --> 00:02:37,620 Now the three parts of the JWT are encoded 56 00:02:37,620 --> 00:02:42,620 using Base64 algorithm and are concatenated with a dot. 57 00:02:43,920 --> 00:02:46,773 So a typical JWT will look like this. 58 00:02:48,960 --> 00:02:51,210 Note the three parts, 59 00:02:51,210 --> 00:02:52,560 they are color coded. 60 00:02:52,560 --> 00:02:56,970 And also note the dot separating the various parts. 61 00:02:56,970 --> 00:02:59,406 The first part is the header, 62 00:02:59,406 --> 00:03:01,650 of course encrypted in and encoded. 63 00:03:01,650 --> 00:03:04,167 The second part is the Payload 64 00:03:04,167 --> 00:03:07,140 and the last part is the Signature. 65 00:03:07,140 --> 00:03:09,990 Now you can easily examine JW tokens 66 00:03:09,990 --> 00:03:12,509 and even construct some for yourself. 67 00:03:12,509 --> 00:03:15,420 Using the JWT Debugger. 68 00:03:15,420 --> 00:03:17,910 So, lets take a look at it. 69 00:03:17,910 --> 00:03:19,480 And we will go to 70 00:03:21,090 --> 00:03:21,923 JWT.io 71 00:03:28,130 --> 00:03:30,840 and lets scroll down. 72 00:03:30,840 --> 00:03:34,410 And what you see here is the JWT Debugger. 73 00:03:34,410 --> 00:03:36,000 So here, 74 00:03:36,000 --> 00:03:37,454 we can see the header, 75 00:03:37,454 --> 00:03:38,808 the Payload, 76 00:03:38,808 --> 00:03:40,350 and the Signature. 77 00:03:40,350 --> 00:03:41,790 Which we won't deal with. 78 00:03:41,790 --> 00:03:43,980 And now lets modify the Payload. 79 00:03:43,980 --> 00:03:46,020 And see what happens here. 80 00:03:46,020 --> 00:03:48,780 This is a real time representation of the JWT 81 00:03:48,780 --> 00:03:51,060 created from this data. 82 00:03:51,060 --> 00:03:52,860 So, for example, 83 00:03:52,860 --> 00:03:56,250 I'll modify the name to be mine. 84 00:03:56,250 --> 00:03:57,783 Mimi Levine. 85 00:03:59,370 --> 00:04:04,370 And you see that the result token is changing as I write. 86 00:04:04,980 --> 00:04:09,690 So this is a great playground to find out how JWT will 87 00:04:09,690 --> 00:04:11,779 look like in specific scenarios. 88 00:04:11,779 --> 00:04:13,602 So, feel free to play here. 89 00:04:13,602 --> 00:04:17,459 And try various types of data in the JWT 90 00:04:17,459 --> 00:04:18,753 and see what happens.