Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is signed authentication token?

Tags:

Currently I'm learning about JWT and started with the token based authentication. I don't understand the sentence from the article:

Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request.

What is signed token? What does it mean to sign a token? I can't find the question on SO.

like image 914
Artem Malchenko Avatar asked Jan 30 '18 08:01

Artem Malchenko


People also ask

What does a signed token mean?

Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

What are authentication tokens examples?

These are three common types of authentication tokens: Connected: Keys, discs, drives, and other physical items plug into the system for access. If you've ever used a USB device or smartcard to log into a system, you've used a connected token.

What are the different types of authentication tokens?

The most common types of tokens are key fobs and USB or wireless tokens. Hardware tokens can be divided into three categories. Contactless—a contactless token doesn't require you to enter an access code or connect to a device.


1 Answers

A signature is something that can be verified.

The main problem you're trying to solve is this: the server creates some arbitrary value, the token, which it gives to the client. The client subsequently gives it back to the server as proof of something (proof that they're authenticated, for instance). Now, how can the server be sure that the token is genuine, and the client didn't just make it up?

That's where the signature comes in. It's part of the token, and the server can verify that it had previously created that signature, and that the signature was created for this particular token. In a nutshell, the signature is a hash of the contents of the token plus a secret only the server possesses; to verify the signature the server repeats the hash of the token's contents and the secret only it has, and if it matches, that means the token's signature must have been created the same way which assures the two desired attributes of authenticity.

For the gnarly details of how a JWT signature is computed specifically, read the specification.

like image 193
deceze Avatar answered Sep 24 '22 00:09

deceze