Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is signed authentication token?

Tags:

Currently I'm learning about JWT and started with the token based authentication. I don't understand the sentence from the article:

Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request.

What is signed token? What does it mean to sign a token? I can't find the question on SO.

like image 914
Artem Malchenko Avatar asked Jan 30 '18 08:01

Artem Malchenko

People also ask

What does a signed token mean?

Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

What are authentication tokens examples?

These are three common types of authentication tokens: Connected: Keys, discs, drives, and other physical items plug into the system for access. If you've ever used a USB device or smartcard to log into a system, you've used a connected token.

What are the different types of authentication tokens?

The most common types of tokens are key fobs and USB or wireless tokens. Hardware tokens can be divided into three categories. Contactless—a contactless token doesn't require you to enter an access code or connect to a device.

1 Answers

A signature is something that can be verified.

The main problem you're trying to solve is this: the server creates some arbitrary value, the token, which it gives to the client. The client subsequently gives it back to the server as proof of something (proof that they're authenticated, for instance). Now, how can the server be sure that the token is genuine, and the client didn't just make it up?

That's where the signature comes in. It's part of the token, and the server can verify that it had previously created that signature, and that the signature was created for this particular token. In a nutshell, the signature is a hash of the contents of the token plus a secret only the server possesses; to verify the signature the server repeats the hash of the token's contents and the secret only it has, and if it matches, that means the token's signature must have been created the same way which assures the two desired attributes of authenticity.

For the gnarly details of how a JWT signature is computed specifically, read the specification.

like image 193
deceze Avatar answered Sep 24 '22 00:09

deceze
Sign in to Comment

Related questions

Count of elements in lists within pandas data frame
How to add comment in Mysql column using Laravel Migrations
Google Chrome Dev tools can not show body content in Elements Tag
Material UI Tooltip Stays Open after triggered Dialog is closed
Android Text-To-Speech API Sounds Robotic
What are single and zero element tuples good for?
Hide address bar in Progressive Web Applications
Native path separator bug in C++17 std::filesystem::path?
Units for types in C++
Round a decimal number to the first decimal position that is not zero
JavaScript - babel-preset-env not transpiling arrow functions for IE11
Is it possible to use the new Android app bundle architecture with RN 0.57?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!