Flask Demo - 04

JWT - Java Web Tokens

JWT (JSON Web Tokens)

JWT (JSON Web Tokens) offers a secure way to transmit information between parties as a JSON object. It provides several advantages over traditional username/password authentication, especially in stateless applications. However, it's essential to understand that JWT is not just about authentication; it's also about information exchange and maintaining stateless sessions. Here's a breakdown of its security aspects and how it compares to traditional methods:

1. Statelessness and Scalability: JWTs are self-contained and carry all the necessary information within the token. This stateless nature allows for better scalability, as the server does not need to maintain a session state.

2. Flexibility: JWTs can be used across different domains, making them ideal for microservices architecture and authenticating API requests in a distributed system.

3. Security: JWTs support more robust and flexible cryptographic algorithms than Basic Authentication. They can be signed and optionally encrypted.

4. Compact and Self-Contained: JWTs contain all the required information about the user, avoiding the need to query the database more than once. This can improve performance by reducing the need for repeated database lookups.

5. Rich Payload: JWTs can contain a payload of claims. These claims can include user details and permissions applicable for fine-grained access control in APIs.

6. Widely Supported: JWTs are widely supported across various programming languages and platforms.

7. Use in Modern Authentication Flows: JWTs are commonly used in OAuth 2.0 and OpenID Connect flows, standard authentication and authorization protocols used by many modern applications.

However, JWTs are not without their drawbacks and must be used correctly to ensure security:

• Storage: Tokens are typically stored in client-side storage, which can be vulnerable to XSS attacks. Proper precautions must be taken to mitigate this risk.

• No Server-Side Revocation: Since JWTs are stateless, once a token is issued, it cannot be revoked before it expires. This can be a problem if a token is compromised.

• Sensitive Data: Don't store sensitive data in a JWT. Although it's encoded, it's not encrypted. Anyone who intercepts the token can decode it and read its contents.

• Transmission Security: Always use HTTPS to transmit JWTs to prevent man-in-the-middle attacks.

## Java Web Tokens

python3 api_demo/flask_04_jwt_auth_app.py

curl -X POST -H "Content-Type: application/json" -d '{"username":"user1", "password":"password1"}' http://127.0.0.1:5004/login

The token expires in 30 seconds.

curl -X GET -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwMzUzMzIwNiwianRpIjoiMGY5MmNlNTUtNmRmNS00YjM0LTkyMWQtMDc3NGU5YzhkMmY3IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6InVzZXIxIiwibmJmIjoxNzAzNTMzMjA2LCJjc3JmIjoiZTBmMDg3MmMtZWQ2ZC00MTdhLTg1NDYtMDA1NWMxOTIzZjkzIiwiZXhwIjoxNzAzNTMzMjM2fQ.dfkiOYI2ka00pYvRQ316lt4kESEGN7ZerE9Q2q75XQM" 
http://127.0.0.1:5004/items

YT Video https://www.youtube.com/watch?v=P2CPd9ynFLg&ab_channel=ByteByteGo