JWT Authentication in a Web Service
So, you want to add auth to your API. Great! Do you have 10 minutes?
Using services based on open standards, you can stand on the shoulders of existing infrastructure to secure your API. And it’s so easy that an end-to-end demo fits on this page.
The key concept is to model identity and trust using signed JSON objects, called JSON Web Tokens (JWTs). There are a few requirements to keep in mind when using JWT-based authentication:
- Always use HTTPS for every request. This layer of security protects your customers from nasty stuff like data interception and replay attacks. Thanks to tools like AWS Certificate Manager, obtaining a valid SSL/TLS certificate is usually free.
- Expect every request coming into your server to include a signed JWT. JWTs are small, serialized pieces of JSON signed with a revokable secret. This requirement also means that it’s easy to host your secure API on “serverless” backends like AWS Lambda.
- Host your server anywhere you want. Clients need access the public internet in order to obtain a signed JWT before they make requests, but your server does not need to access any data layer or internet service in order to receive JWTs. In order to verify JWT signatures, you’ll need to deploy a revokable secret value to your servers.
- Use battle-tested code such as Auth0 Lock. You don’t need to make your own sign-in page. Instead, take advantage of the standards-based libraries and widgets and customize them to your needs. If you’re making something besides a website (e.g. a custom script or a native mobile app), then Auth0 also has you covered with special libraries just for you.
Demo Express.js HTTPS Server
Nearly all server frameworks support JWT authentication via library functions. In the example below, it only took 5 lines of code to secure an endpoint of my Express.js API using the “express-jwt” middleware. Seriously!
Have you ever experienced the bug where your customer signs in to a session on one server, but then your load balancer routes the next call to a different machine and they have to sign in again? Crazy! Using JWT-based authentication is especially easy because it eliminates the need for your API to do auth session management. If you previously used an auth strategy that required you to maintain live data records of “currently signed in people,” then you can see the clear advantages of instead representing that state with JWTs in individual session calls.
Here’s a minimal working example server. Feel free to try it out yourself: https://tonicdev.io/theopak/jwt-auth-demo/branches/master/
Updating your client-side code to use JWTs is also pretty easy.
That’s it! Now you have a secure web API and client that can be deployed on-premises or to the cloud, with compliance to the highest standards for security and auditability. It’s no wonder that JWT-based authentication is replacing less scalable strategies in every imaginable industry.
- Server source code: https://tonicdev.com/theopak/jwt-auth-demo-server
- Client source code: https://codepen.io/theopak/pen/wMxEJO
- Auth0 Documentation: https://auth0.com/docs
This was a fairly trivial example, but I think you’ll find that the strategy scales to production use cases as well. And Auth0 has extensive examples and seed projects for almost every tech stack imaginable.
Ready to switch your production service to JWT-based authentication and authorization? Try a quick-start here: https://auth0.com/docs