Authentication and Authorization with JWT in nodeJS

User authentication & authorization is one of the important part of any web application so that users can authenticate themselves before gaining access to protected views or resources
In this article we will learn the following terms by example:

So if you do not have any knowledge about JWT do not worry in this article you will learn JWT by developing a project. But for implementation part you should have a previous experience with NodeJS,ES6,REST API.

Authentication VS Authorization

Authentication and Authorization

Authentication who you are ? Authentication process usually done before authorization.
When you try to enter your credentials username and password (login) and the system identify you this process is called authentication

Authorization what you can do? your permissions to access the resources.
Authorization determines what users can and cannot access and Usually done after successful authentication

What are JSON Web Token?

JSON Web Tokens (JWT) have been introduced as a method of communicating between two parties securely. Nowadays JWT is very popular for handling authentication and authorization via HTTP.

FIrst we should know some information about HTTP.

HTTP is a stateless protocol, which means that http does not maintain the state. The server does not know about any previous request requests sent by the same client.
So HTTP request should be self-contained . They should include information about previous requests that the user made in the request itself.

There are few ways of making HTTP self-contained :

  • Using session ID which is a reference to the user information.
    The server will store this session ID in memory or in a database. The client will send each request with this sessions ID. The server can then fetch information about the client using this reference.

Session ID Authentication

  • By using JWT, the client sends an authentication request to the server, it will send a JSON token back to the client, which includes all the information about the user with the response. The client will send this token along with all the requests server does not store any information about the session.

JWT Authentication

Structure of a JWT

JWT consist of three parts as you can see this image below

JWT Structure

  • The first section of the JWT is the header , which is a Base64-encoded string. The header section contains the hashing algorithm, which was used to generate the sign and the type of the token.

  • The second section is the payload that contains the JSON object that was sent back to the user. Since this is only Base64-encoded, it can easily be decoded by anyone.
    It is recommended not to include any sensitive data in JWTs, such as passwords or personally identifiable information.
    Most of the time, the sub property will contain the ID of the user, the property iat , which is shorthand for issued at, is the timestamp of when the token is issued.

  • The final section is the signature of the token. This is generated by hashing the string base64UrlEncode(header) + "." + base64UrlEncode(payload) + secret using the algorithm that is mentioned in the header section.

The secret is a random string which only the server should know. No hash can be converted back to the original text and even a small change of the original string will result in a different hash. So the secret cannot be reverse-engineered.

According to the standards, the client should send this token to the server via the HTTP request in a header called Authorization with the form Bearer [JWT_TOKEN] . So the value of the Authorization header will look something like:

Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0N
TY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o

As you can see image below it’s how to send authorization by using Postman

post man authorization

Advantages of JWT

As we have discussed JWT can contain all of the information about the user itself, unlike the session-based authentication. This is very useful for scaling web apps, such as a web app with micro-services.

Microservice Architecture

If we use traditional authorization methods, such as cookies, we will have to share a database, like Redis, to share the complex information between servers or internal services. But if we share the secret across the micro-services, we can just use JWT and then no other external resources are needed to authorize users.

Implementation part

In this part we will develop a simple application using nodejs and jwt you can visit this link to start the development process and learn how to use jwt with nodejs to build authentication layer for any project you will develop. Implementing JWT Authentication with nodejs