JWT Authentication Explained
Рет қаралды 28,028
Күн бұрын
@MattEland 2 жыл бұрын
This is also available in written form on my blog: newdevsguide.com/2022/11/12/json-web-tokens-simplified/
@MatthewMiller-hk7kw 7 ай бұрын
Single handedly the best explanation I've ever gotten over this!
@MattEland 6 ай бұрын
Thanks! It's just a very well-suited metaphor.
@ChinchillaDave 10 ай бұрын
JWT equals hotel key card. Brilliant, thank you! Both require upfront verification once but permit use of the token in subsequent interactions as a replacement, for a certain time period and subject to further rules and limitations. So good!
@omotosoiyanu1767 8 ай бұрын
I’ve have been watching videos and reading articles on JWT for some time now and I still find myself going back to another article to understand even the basics but after watching this I don’t think I will ever go back to watching a video on just the basic understanding of JWT again … Thank you very much
@muratkaradas1483 Жыл бұрын
I really loved the example you used in this video. Thank you for explaining it in such a clear and relatable way 👍
@MattEland Жыл бұрын
Thanks for the kind words!
@yx1566 Жыл бұрын
thank you so much for this explantion! I searched JWT today since I keep forgeting how JWT works, after watching your video i think i will never forget it
@MattEland Жыл бұрын
Glad to hear it!
@allhailalona Ай бұрын
Thank you for this remarkable explanation! I'm glad to be the the 875th liker and a new subscriber to your channel!
@LaveshNK 28 күн бұрын
Amazing explanation and analogy used!! Thank you for the video
@aashishpaudel6822 6 ай бұрын
loved the metaphor, best one I heard so far in this topic
@TheJasonTorres 4 ай бұрын
This breakdown was my lightbulb moment thank you
@packtrouble6270 Жыл бұрын
I would say this is probably the best explanation I have seen.
@MattEland Жыл бұрын
Thank you! I believe it came about from traveling to speak at conferences around the same time I taught my students JWT authentication.
@jpkeys6000 4 ай бұрын
This metaphor is great. Thank you Matt!
@ADHJkvsNgsMBbTQe Жыл бұрын
Cyber security tip: don’t show your real identity card or badge online. Respectfully suggested.
@overrevvv Жыл бұрын
Thank you so much for being on youtube and this video.
@estherinyang4779 Ай бұрын
Thank you so much for this explanation. Really easy to understand.
@CodeWithJude Жыл бұрын
Great analogy to teach the concept of JWT authentication!
@paulmittelstaedt6970 Жыл бұрын
this vieo is just perfect
@MattEland Жыл бұрын
Glad it helped! Enjoy the journey
@DanielTakov Ай бұрын
Perfectly explained thank you!
@ianpropst-campbell6028 Жыл бұрын
This was actually a really helpful analogy. thank you for sharing!
@nanakwasi7690 Жыл бұрын
Glad you could help me understand JWT better. Thanks
@1337ArMaAa 6 ай бұрын
Perfectly explained, thank you so much!
@PP-ow1xy Жыл бұрын
thank you so much for this very smart analogy Matt! you certainly made a difference to my understanding and you got yourself (at least) one more subscriber (as I am going to share this video with my bootcamp's cohort).
@MattEland Жыл бұрын
That's fantastic! I built this in-part for my bootcamp students as well, so happy to help others.
@PP-ow1xy Жыл бұрын
@@MattEland it's nice you want to pass knowledge whichever way you can. Kudos Mat! Best Regards Panagiotis (linkedin)
@adithyar3160 14 күн бұрын
luvd the explanation
@walkwithusuf82 9 ай бұрын
Brilliant explanation
@schwartztutoring 6 ай бұрын
Great analogy!
@tanveeransari989 2 ай бұрын
Awesome analogy 🎉
@mikes.2336 Жыл бұрын
Thank you! The analogies really helped!
@123pencilboy Ай бұрын
Thank you so much, I understand the concept now!
@TamaraPWork 5 ай бұрын
amazing explanation, thank you!
@CorneliusKipkorir-c4e Жыл бұрын
This is really a very interesting content
@John-eq5cd Жыл бұрын
A good analogy, thanks. From what I understand a valid jwt sent by the user's browser allows access to various restricted web pages on an app. Therefore, if the jwt is stolen somehow then the thief will also have access. How likely is this and will possession allow full access without any other checks on the user?
@MattEland Жыл бұрын
JWTs are intended to be private and secure. In the case that a JWT is somehow compromised, it is still valid until its expiry date, unless the server does some additional checks beyond validating that a JWT was signed by itself. In an absolute emergency, the server's signing key could be changed, but this would effectively invalidate ALL issued JWTs.
@AlexFirsikoff Жыл бұрын
Great explanation, thanks a lot!
@MattEland Жыл бұрын
Happy to help! This explanation helps a lot of my students and I'm happy to share.
@reeseovine 4 ай бұрын
i've understood this pretty well for the most part, but the part that confuses me is what if a JWT gets "lost" like a keycard very easily could? anyone who picks it up could access otherwise restricted areas in theory. surely there must be something preventing something this from happening with JWTs?
@MattEland 4 ай бұрын
Yes, if a JWT is intercepted it can be used before its expiry. This is why we have an expiration time and date. We rely primarily on transport layer security encrypting the headers to secure our JWTs. Keep in mind that even if you have a valid JWT that JWT will likely only be useful for interacting with some resources so you need to have the JWT and know which URLs it should go to - similar to finding a key card in the lobby of a hotel grants you access to a room, but you're not sure which one. Some systems also offer ways of invalidating JWTs known to be lost or compromised, such as when employees are let go, but this is not required.
@augustinekirumba4304 Жыл бұрын
Thanks for the examples, helped understand better
@MattEland Жыл бұрын
Glad it helped!
@iraisvalenzuela6147 11 ай бұрын
Great explanation! Thank you!
@MattEland 11 ай бұрын
Glad it was helpful!
@BruceChan-du4uf 5 ай бұрын
very good explanation
@PeterTurnerBexley12 Жыл бұрын
Thank you - that was invaluable !
@MattEland Жыл бұрын
No worries. JWTs can be very confusing!
@hlpires101 9 ай бұрын
hey this explanation was insane thx
@MrMarcoAlvarado Жыл бұрын
I think what is hard to understand, is that you do not need the secret key for the server side validation of the token, if I'm right. Otherwise there would be no difference to using session.
@MattEland Жыл бұрын
Correct. The only one who has the secret key is the server who signs the JWT.
@mufizshaikh8439 16 күн бұрын
amazing example!
@grampro8572 Жыл бұрын
Very nice explanation
@MattEland Жыл бұрын
Thank you very much! I frequently find myself sharing this one with students curious about careers in data, so I'm glad it helped!
@poriaasadipour 7 ай бұрын
Thank you very much sir!
@harithabandara3212 6 ай бұрын
Thank you❤
@neameh.karineh Жыл бұрын
Thanks a lot. It was helpful for me.
@MattEland Жыл бұрын
Fantastic! Sometimes the right metaphor can do wonders.
@onedev7316 Жыл бұрын
thanks for the explanation. can you please do a video on User Impersonation using Identity/JWT with an example in .NET. I am unable to understand how this going to work when token is generated already. Sorry if question is dumb.
@MattEland Жыл бұрын
It's not a dumb question. It's not fully in my typical set of content I produce, but I'll add a backlog item for that. Can't predict when or if I'll get to it, though. You'd likely be best searching for creators who specialize in asp.net configuration and security.
@Netz0 Жыл бұрын
The answer to your question is that JWT's tokens are for authorization, not for authentication, different things. It just tells you when a request is authorized on a server or application, but not who or what is doing the request. You need to combine it with another authentication form that checks the user to avoid impersonation.
@emma_promise_smartnbc4331 9 ай бұрын
Thanks
@more-uv4nl 2 ай бұрын
thanks alot Sir !
@RositaBrockington-v9i 2 ай бұрын
Keegan Plain
@LeonAbraham-m8w 2 ай бұрын
Labadie Crest
@ZangwillKing-x6m 2 ай бұрын
Hirthe Brooks
@ghjhgj-p2i Ай бұрын
Olson Expressway
@maziatr 5 ай бұрын
JWT is used for Authorisation, not Authentication
@MattEland 5 ай бұрын
Very good! Keep going on your learning journey, you're making great progress!
@maziatr 5 ай бұрын
@@MattEland You too. Perhaps one day you will find out the difference between the two.
@MattEland 5 ай бұрын
@maziatr I don't understand, either I knew already or you told me just now for the first time. In either of those scenarios, I'd know, right? Also, you seem like a hostile person and I wish you well, but I'll leave you on your journey from here.
@GerryRodrguez-v3h 2 ай бұрын
Randal Avenue
@марияагафоник Ай бұрын
Allen Larry Garcia Linda Taylor Joseph
@HicksHoover-y2u 2 ай бұрын
Quigley Landing
@EmersonMorton-e3b 2 ай бұрын
Elena Square
@SonmerfieldWendell-e4q Ай бұрын
Garcia Daniel Smith Matthew Allen Paul
@VioletRuth-t4r 2 ай бұрын
Claude Plaza
@ClemensVenus-j3j 2 ай бұрын
Guido Shoals
@JerryVincent-o5e 2 ай бұрын
Sadie Track
@KatrineParker-k8f 2 ай бұрын
Heaney Station
@MarciaMezza-y7y 2 ай бұрын
Rogahn Estate
@MarySmith-j3w 2 ай бұрын
Heller Canyon
@WaltonValentine-i4s 2 ай бұрын
Walter Roads
@ConnorMerle-p6d 2 ай бұрын
Bode Station
@GaryJackson-q7w 2 ай бұрын
Garcia Sharon Williams Melissa Martin Cynthia
@MaggieNicole-e4g 2 ай бұрын
Beier Springs
@AntoinetteSusie-r3m 2 ай бұрын
Young Kimberly Anderson Mark Brown Mark
@MariaThompson-d7y Ай бұрын
Hall Maria Lopez Donald Robinson John
@DollyCleveland-l1f 2 ай бұрын
Martinez Barbara Williams Jason Moore Kenneth
@Iron_spider99 11 ай бұрын
Pronouncing JWT as one word instead of saying their individual letters should be a war crime.
@MattEland 11 ай бұрын
You should check the JWT specification. It describes how to pronounce it.
@Iron_spider99 11 ай бұрын
@@MattEland blasphemy
@RogerMartha-e6s 2 ай бұрын
Coty Club
@FredMyrna-x2f 2 ай бұрын
Robinson James Allen Frank Clark Betty
@MatthewCarpino-o5z 2 ай бұрын
Klocko Mall
@ThackerayAudrey-j5g 2 ай бұрын
Taylor Nancy Brown Paul Thompson Mark
Cosden Solutions
Рет қаралды 122 М.