JWT Authentication Explained
Рет қаралды 28,652
Күн бұрын
@MattEland 2 жыл бұрын
This is also available in written form on my blog: newdevsguide.com/2022/11/12/json-web-tokens-simplified/
@MatthewMiller-hk7kw 8 ай бұрын
Single handedly the best explanation I've ever gotten over this!
@MattEland 8 ай бұрын
Thanks! It's just a very well-suited metaphor.
@omotosoiyanu1767 9 ай бұрын
I’ve have been watching videos and reading articles on JWT for some time now and I still find myself going back to another article to understand even the basics but after watching this I don’t think I will ever go back to watching a video on just the basic understanding of JWT again … Thank you very much
@ChinchillaDave 11 ай бұрын
JWT equals hotel key card. Brilliant, thank you! Both require upfront verification once but permit use of the token in subsequent interactions as a replacement, for a certain time period and subject to further rules and limitations. So good!
@idrisseahamadiabdallah7669 7 күн бұрын
The key card example explains it very well sir. Continue using that strategy. 👍🤝
@ADHJkvsNgsMBbTQe Жыл бұрын
Cyber security tip: don’t show your real identity card or badge online. Respectfully suggested.
@muratkaradas1483 Жыл бұрын
I really loved the example you used in this video. Thank you for explaining it in such a clear and relatable way 👍
@MattEland Жыл бұрын
Thanks for the kind words!
@LaveshNK 2 ай бұрын
Amazing explanation and analogy used!! Thank you for the video
@yx1566 Жыл бұрын
thank you so much for this explantion! I searched JWT today since I keep forgeting how JWT works, after watching your video i think i will never forget it
@MattEland Жыл бұрын
Glad to hear it!
@aashishpaudel6822 7 ай бұрын
loved the metaphor, best one I heard so far in this topic
@jpkeys6000 6 ай бұрын
This metaphor is great. Thank you Matt!
@allhailalona 2 ай бұрын
Thank you for this remarkable explanation! I'm glad to be the the 875th liker and a new subscriber to your channel!
@estherinyang4779 2 ай бұрын
Thank you so much for this explanation. Really easy to understand.
@TheJasonTorres 5 ай бұрын
This breakdown was my lightbulb moment thank you
@packtrouble6270 Жыл бұрын
I would say this is probably the best explanation I have seen.
@MattEland Жыл бұрын
Thank you! I believe it came about from traveling to speak at conferences around the same time I taught my students JWT authentication.
@overrevvv Жыл бұрын
Thank you so much for being on youtube and this video.
@CodeWithJude Жыл бұрын
Great analogy to teach the concept of JWT authentication!
@DanielTakov 2 ай бұрын
Perfectly explained thank you!
@walkwithusuf82 11 ай бұрын
Brilliant explanation
@paulmittelstaedt6970 Жыл бұрын
this vieo is just perfect
@MattEland Жыл бұрын
Glad it helped! Enjoy the journey
@ianpropst-campbell6028 Жыл бұрын
This was actually a really helpful analogy. thank you for sharing!
@nanakwasi7690 Жыл бұрын
Glad you could help me understand JWT better. Thanks
@adithyar3160 Ай бұрын
luvd the explanation
@tanveeransari989 3 ай бұрын
Awesome analogy 🎉
@schwartztutoring 7 ай бұрын
Great analogy!
@1337ArMaAa 7 ай бұрын
Perfectly explained, thank you so much!
@mikes.2336 Жыл бұрын
Thank you! The analogies really helped!
@TamaraPWork 6 ай бұрын
amazing explanation, thank you!
@PP-ow1xy Жыл бұрын
thank you so much for this very smart analogy Matt! you certainly made a difference to my understanding and you got yourself (at least) one more subscriber (as I am going to share this video with my bootcamp's cohort).
@MattEland Жыл бұрын
That's fantastic! I built this in-part for my bootcamp students as well, so happy to help others.
@PP-ow1xy Жыл бұрын
@@MattEland it's nice you want to pass knowledge whichever way you can. Kudos Mat! Best Regards Panagiotis (linkedin)
@John-eq5cd Жыл бұрын
A good analogy, thanks. From what I understand a valid jwt sent by the user's browser allows access to various restricted web pages on an app. Therefore, if the jwt is stolen somehow then the thief will also have access. How likely is this and will possession allow full access without any other checks on the user?
@MattEland Жыл бұрын
JWTs are intended to be private and secure. In the case that a JWT is somehow compromised, it is still valid until its expiry date, unless the server does some additional checks beyond validating that a JWT was signed by itself. In an absolute emergency, the server's signing key could be changed, but this would effectively invalidate ALL issued JWTs.
@aviadshalom66 14 күн бұрын
my man! great explanation!
@grampro8572 Жыл бұрын
Very nice explanation
@MattEland Жыл бұрын
Thank you very much! I frequently find myself sharing this one with students curious about careers in data, so I'm glad it helped!
@123pencilboy 3 ай бұрын
Thank you so much, I understand the concept now!
@AlexFirsikoff Жыл бұрын
Great explanation, thanks a lot!
@MattEland Жыл бұрын
Happy to help! This explanation helps a lot of my students and I'm happy to share.
@iraisvalenzuela6147 Жыл бұрын
Great explanation! Thank you!
@MattEland Жыл бұрын
Glad it was helpful!
@CorneliusKipkorir-c4e Жыл бұрын
This is really a very interesting content
@justinfok100account 6 ай бұрын
very good explanation
@augustinekirumba4304 Жыл бұрын
Thanks for the examples, helped understand better
@MattEland Жыл бұрын
Glad it helped!
@reeseovine 5 ай бұрын
i've understood this pretty well for the most part, but the part that confuses me is what if a JWT gets "lost" like a keycard very easily could? anyone who picks it up could access otherwise restricted areas in theory. surely there must be something preventing something this from happening with JWTs?
@MattEland 5 ай бұрын
Yes, if a JWT is intercepted it can be used before its expiry. This is why we have an expiration time and date. We rely primarily on transport layer security encrypting the headers to secure our JWTs. Keep in mind that even if you have a valid JWT that JWT will likely only be useful for interacting with some resources so you need to have the JWT and know which URLs it should go to - similar to finding a key card in the lobby of a hotel grants you access to a room, but you're not sure which one. Some systems also offer ways of invalidating JWTs known to be lost or compromised, such as when employees are let go, but this is not required.
@MrMarcoAlvarado Жыл бұрын
I think what is hard to understand, is that you do not need the secret key for the server side validation of the token, if I'm right. Otherwise there would be no difference to using session.
@MattEland Жыл бұрын
Correct. The only one who has the secret key is the server who signs the JWT.
@PeterTurnerBexley12 Жыл бұрын
Thank you - that was invaluable !
@MattEland Жыл бұрын
No worries. JWTs can be very confusing!
@hlpires101 10 ай бұрын
hey this explanation was insane thx
@harithabandara3212 7 ай бұрын
Thank you❤
@onedev7316 Жыл бұрын
thanks for the explanation. can you please do a video on User Impersonation using Identity/JWT with an example in .NET. I am unable to understand how this going to work when token is generated already. Sorry if question is dumb.
@MattEland Жыл бұрын
It's not a dumb question. It's not fully in my typical set of content I produce, but I'll add a backlog item for that. Can't predict when or if I'll get to it, though. You'd likely be best searching for creators who specialize in asp.net configuration and security.
@Netz0 Жыл бұрын
The answer to your question is that JWT's tokens are for authorization, not for authentication, different things. It just tells you when a request is authorized on a server or application, but not who or what is doing the request. You need to combine it with another authentication form that checks the user to avoid impersonation.
@mufizshaikh8439 Ай бұрын
amazing example!
@poriaasadipour 8 ай бұрын
Thank you very much sir!
@neameh.karineh Жыл бұрын
Thanks a lot. It was helpful for me.
@MattEland Жыл бұрын
Fantastic! Sometimes the right metaphor can do wonders.
@more-uv4nl 3 ай бұрын
thanks alot Sir !
@emma_promise_smartnbc4331 11 ай бұрын
Thanks
@maziatr 7 ай бұрын
JWT is used for Authorisation, not Authentication
@MattEland 7 ай бұрын
Very good! Keep going on your learning journey, you're making great progress!
@maziatr 7 ай бұрын
@@MattEland You too. Perhaps one day you will find out the difference between the two.
@MattEland 7 ай бұрын
@maziatr I don't understand, either I knew already or you told me just now for the first time. In either of those scenarios, I'd know, right? Also, you seem like a hostile person and I wish you well, but I'll leave you on your journey from here.
@GerryRodrguez-v3h 4 ай бұрын
Randal Avenue
@ZangwillKing-x6m 3 ай бұрын
Hirthe Brooks
@EmersonMorton-e3b 3 ай бұрын
Elena Square
@ghjhgj-p2i 2 ай бұрын
Olson Expressway
@марияагафоник 2 ай бұрын
Allen Larry Garcia Linda Taylor Joseph
@LeonAbraham-m8w 3 ай бұрын
Labadie Crest
@SonmerfieldWendell-e4q 3 ай бұрын
Garcia Daniel Smith Matthew Allen Paul
@HicksHoover-y2u 3 ай бұрын
Quigley Landing
@VioletRuth-t4r 3 ай бұрын
Claude Plaza
@MaggieNicole-e4g 3 ай бұрын
Beier Springs
@ClemensVenus-j3j 3 ай бұрын
Guido Shoals
@JerryVincent-o5e 3 ай бұрын
Sadie Track
@KatrineParker-k8f 3 ай бұрын
Heaney Station
@MarciaMezza-y7y 3 ай бұрын
Rogahn Estate
@WaltonValentine-i4s 3 ай бұрын
Walter Roads
@ConnorMerle-p6d 4 ай бұрын
Bode Station
@GaryJackson-q7w 3 ай бұрын
Garcia Sharon Williams Melissa Martin Cynthia
@MarySmith-j3w 3 ай бұрын
Heller Canyon
@MariaThompson-d7y 3 ай бұрын
Hall Maria Lopez Donald Robinson John
@DollyCleveland-l1f 4 ай бұрын
Martinez Barbara Williams Jason Moore Kenneth
@AntoinetteSusie-r3m 3 ай бұрын
Young Kimberly Anderson Mark Brown Mark
@Iron_spider99 Жыл бұрын
Pronouncing JWT as one word instead of saying their individual letters should be a war crime.
@MattEland Жыл бұрын
You should check the JWT specification. It describes how to pronounce it.
@Iron_spider99 Жыл бұрын
@@MattEland blasphemy
@RogerMartha-e6s 3 ай бұрын
Coty Club
@FredMyrna-x2f 3 ай бұрын
Robinson James Allen Frank Clark Betty
@MatthewCarpino-o5z 4 ай бұрын
Klocko Mall
@ThackerayAudrey-j5g 3 ай бұрын
Taylor Nancy Brown Paul Thompson Mark
Cosden Solutions
Рет қаралды 140 М.