Authing DocsDocuments
Concept
Guides
Development Integration
Application integration
Concept
Guides
Development Integration
Application integration
Old Version
Concept
  • What is Authing
  • What is the user pool
  • What is an application
  • What is certification
  • What is federal certification
  • What is authorization
  • Authentication vs authorization
  • What is JWT Token
  • What is ID Token
  • What is Access Token
  • What is Refresh Token
  • Access Token vs Id Token
  • OIDC FAQ
  • Understand the SAML2 protocol

  • Understand OIDC and OAuth2.0 protocol

  • What is multi-factor authentication
  • Account Lifecycle Management
  • Hosted login page vs embeddable login component
  • CIAM and EIAM
  • What is LDAP
  • Principle of Scan Code Login

¶ Definition and Utilization of JWT Token

Update Time: 2022-06-19 15:23:15
Edit

How to verify token in the Authing system:

How To Validate User Token?

¶ Introduction of JWT Token

JSON Web Token (JWT,RFC 7519 (opens new window)) is a JSON-based open standard ((RFC 7519). It is designed to be compact and secure, especially suitable for single sign-on (SSO) scenarios at distributed sites. In order to obtain resources from the resource server, JWT statements are generally used to pass authenticated users information between identity providers and service providers. Some additional declarations for other business logic can also be added. JWT Token encryption and use JWT Token directly for authentication are available.

For details, please refer to this article: What is JWT (opens new window)

¶ Verification Flow

¶ User Authentication Process

  • User send Username/Password Authentication Request
  • Server verify Username/Password against Database
  • Server return JWT Token after validation successfully
  • Client Stored JWT Token and presented it in each Request (How to Present?)
  • Server verify JWT Token and return resource to valid User(How to verify?)

¶ Security Restriction

To prevent malicious user registration, Authing set below restrictions for IP addresses as default:

  • User register 3 times or more in 5 min with the same IP address. The IP address will be banned
  • User login failed 3 times in 5 min with same IP address. OTP verification will be required.

    Threshold can be customized. Please refer to Enable/Disable/Config Registration Counts Restriction。

¶ How to Present Client Stored JWT Token

Authing return JWT Token to developer after authentication passed. Developer stored JWT token at Client side and present token to backend server for validation.

HTTP Header Authorization is recommended to carry JWT Token. Eg (Axios in JavaScript):

const axios = require('axios')
axios
  .get({
    url: 'https://yourdomain.com/api/v1/your/resources',
    headers: {
      Authorization: 'Bearer ID_TOKEN',
    },
  })
  .then((res) => {
    // custom codes
  })

Notice that Bearer in Line 5

¶ What is Bearer?

Bearer Token (RFC 6750 (opens new window)) is used to authorize access to resources, any Bearer holder can use it to access related resources without an encryption key. Bearer represents the scope of authorization, validity period and other authorization items. Lifetime of Bearer should not be too long and it can be renewed by Refresh Token. Transport Layer Security (TLS) needs to be implemented to prevent data breach during transmission.

It is recommended that developers use Bearer for each token request.

Prev: Authentication vs authorization Next: What is ID Token
  • Introduction of JWT Token
  • Verification Flow
  • Security Restriction
  • How to Present Client Stored JWT Token

User identity management

Integrated third-party login
Mobile phone number flash check (opens new window)
Universal login form component
Custom authentication process

Enterprise internal management

Single Sign On
Multi-factor Authentication
Authority Management

Developers

Development Document
Framework Integration
Blog (opens new window)
GitHub (opens new window)
Community User Center (opens new window)

Company

400 888 2106
sales@authing.cn
16 / F, Block B, NORTH STAR CENTURY CENTER, Beijing(Total)
room 406, 4th floor, zone B, building 1, No. 200, Tianfu Fifth Street, Chengdu(branch)

Beijing ICP No.19051205-1

© Beijing Steamory Technology Co.