jwt (JSON Web Token)

JSON Web Token

• https://tools.ietf.org/html/rfc7519

• https://en.wikipedia.org/wiki/JSON_Web_Token

• https://jwt.io/

• https://www.devglan.com/spring-security/spring-boot-jwt-auth

• https://www.baeldung.com/spring-security-oauth-jwt

Overview

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally (typically in local or session storage, but cookies can also be used), instead of the traditional approach of creating a session in the server and returning a cookie.

The tokens are designed to be compact,[2] URL-safe,[3] and usable especially in a web-browser single-sign-on (SSO) context. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required by business processes.

This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it is present, the user will be allowed to access protected resources. As JWTs are self-contained, all the necessary information is there, reducing the need to query the database multiple times.