π Add to Chrome β Itβs Free - YouTube Summarizer
Category: N/A
No summary available.
00:00
jot oh this jot JWT stands for Json web token in short we call it as jot because it is easier to pronounce so we'll say jot from this time or jwd I will go with both the words jot or jwd stands for
00:15
Json web token as I mentioned so we'll talk about why do we need jot we'll talk about what is jot and then we'll focus on how do we Implement that in our project see the thing is when you talk about security of course we have done a lot of things about security till this point we were able bble to log in so
00:31
that we can access resource so what resource I'm talking about so let's say we have a client here a happy client and then we got a server here and of course every time you uh try to access any resource from the server basically we send a request of course but the first
00:47
request should be for the login otherwise you cannot access the resource yes there are certain resources where you don't need restrictions but let's say you got a resource which is protected and if you want to access it you need to login First and when you login you of course for login you have
01:03
to provide your credentials it can be username password or anything else and this goes to the server server says okay you are an authorized person or a application and you can access the resource now so of course you are already happy you are doing transactions and everything is going well but then
01:19
every time you access some other resource let's say on the application or the server you have 10 resources and when you access one resource you provide the credential it works for the next access you don't have have to provide credentials right because you are logged in already then why you have to provide credentials and that's why we use
01:35
something called session so what happens is when a client send a request to the server and it is logged in you maintain a session basically you have a session ID stored on the server let's say the session ID is one2 and then every time client goes to the server say hey I'm uh
01:51
I'm this and my session ID is one2 and then server knows okay this person has logged in earlier we don't have to ask for username password for every time and that's why if you go to any website let's say Gmail I don't remember when was the last time I have logged into Gmail so on this machine not this
02:07
machine my personal machine I have Gmail logged in for a for a very long time uh I mean not just Gmail most of the application right and then I can actually use other Google applications let's say Google drive or uh Google meet
02:23
just by that signin so we we have something called SSO which is single sign on where you login once and you to access all the other applications but yeah the main point is you don't have to log in multiple times you just do it once so to achieve that we use something called session okay so what is wrong
02:39
with session it's great but then there's some drawback and to understand that let's go with an example so let's say I am N Ready I am ready okay so let's say I go to different uh offices for training or some Consulting work and then every time I visit a company maybe
02:55
the process goes for two weeks or 3 weeks or a month okay and then every day I leave my home I go to the office and in between maybe I want to have a coffee okay so what I do is I know for a particular office there is a coffee store there uh so there's a coffee store
03:11
here and then this store name is what I made a cube I don't know why but let's say this coffee store is tea coffee I know that sounds a good name but yeah so we we got a tea coffee shop here and then I go there I pay some amount let's say maybe $5 for a coffee I know that's
03:28
a costly one but let's say I pay $5 for coffee and then I get a coffee right I'm very happy so that's a server that's a client the plan has been done and I was thinking okay so I go there every day right so for next two weeks or maybe next three weeks I will I will be having my coffee there so why don't I make a
03:44
pass a monthly pass or maybe uh I will pay up front well I will get some discount I don't have to stand in a queue to order the coffee I can just show my card and I can say Hey you know uh give me the coffee and that sounds good right you don't have to stand on a queue you don't have to car change or you don't have to scan to pay every time
03:59
you just pay at once so we had a deal okay so that person there so let's say the person name is Bob so let's say Bob is here and then Bob says hey nain you can just pay $50 once and then you can access the coffee you can get you can come here every morning you can get your coffee and we'll give it to you so $50
04:15
good amount uh so that's for uh the entire three weeks I'm very happy I got discount as well lot of lot of benefits right and I'm going there I'm showing my face and then this Bob knows who I am so he give me a coffee but let's say after a few days I I can't see Bob there Bob
04:31
has been replaced by some other person let's say Rohit so when I go to coffee shop now and then I I don't see Bob there and Rohit says who are you and that's weird right I mean I have paid for the coffee but Rohit has no idea who I am so if you go back to the scenario instead of Bob knowing my face we could
04:48
have done some better thing right what if uh what if Bob could have given me a ID let's say uh Bob will maintain a book there and in that book uh it is mentioned that 102 is naven and he has already paid $50 right and then I can
05:03
carry an ID card with me which says one2 and every time I go there I can show the card and then now Bob or R doesn't matter who that person is can see hey you know I can see your name mentioned the registry I can just give you the coffee so it doesn't matter who that
05:18
person is I can get my coffee now so that's one scenario let's go for more scenarios let's say now uh I'm not just going to one training one city let's say I travel to multiple cities and and I realized that most of the spa the tech space have the same coffee shop te tea
05:34
coffee shop okay and then let's say I was in Mumbai now I'm going to let's say Delhi and there I want to do the same thing I'm going to a company but I want to have a coffee so I was in Mumbai and now I'm going to Delhi same cof same coffee shop this time I'll make it just a box and now when I go there there's a
05:51
person here let's say the person name is different I will not draw this again so let's say there the person name is U Mahesh and and I go to mahes by saying hey you know I have a I have already paid $50 in Mumbai Office and now I want to get my coffee and now mahes says I
06:08
don't know who you are and then I will say Hey you know don't worry I got an ID with me I will show you the ID and now mahes is looking at the registry the local book in Delhi coffee shop and then he can't find my name there the reason is very simple the book was there in Mumbai not in Delhi right so we got two
06:24
different uh offices or maybe we can have 10 different offices in all over the world and go there no one knows who I am so this is failing so what could have they could have done is instead of going for a local copy they could have made a server in between uh and all these offices can share the same server
06:41
where they can maintain the the stre by saying N Ready already paid uh $50 and for 3 weeks he can access the coffee and now they can do it so all these different offices can share the same server and this will solve the problem right and I was happy he was happy
06:57
everything is done but sometimes time this common database between different servers creates some issues okay it Al it may also slow down the stuff so this is one problem how do we solve this problem so in order to solve this problem let's go for some other approach
07:13
let's say I'm that person let's let's go back to the original scenario this is the coffee shop which is tea coffee shop and then there's a Bob here initially it was Bob right so let's go with Bob and now let's change the scenario I'm going to the server or the coffee shop I said
07:29
I will pay pay you $50 you gave me the access and then on that day of course I got the coffee but then instead of giving me an ID and they have to they have to also maintain the registry right in of that what Bob is doing now is Bob is giving me a card initially also I got the card but this time a different card
07:45
now this card will have certain different things example uh first of all the card will have my name the card will also have the issue date when the card was issued and when is the expiry of course expir is right otherwise I will enjoy the coffee for the entire for my
08:03
entire career or for my entire lifetime provided doctor says don't drink coffee otherwise I will enjoy this right so name issue date and expired that's what I want from the that's what I got so every time I go to the coffee shop I will take my ID I will give it I will show it to them and they will say okay uh the ID looks good and they will give
08:20
me back back my ID and then I can access I can get the coffee so name issue date and expiry works here now what is not working is you know U one of my friend he also goes with me for different trainings or maybe we meet sometime and then I have given him this idea hey you
08:35
know what you can do you can talk to Bob and you can get this card you don't have to stand in a queue you don't have to pay every time you can pay it once and you can get discount as well and now this guy is very smart what he did he looked at my ID or the card and he says okay I can simply make a fake copy of it
08:52
and then what he's doing is he's basically changing just one thing instead of my name he's using his name let's say h and now now hush can access uh the coffee so H can go there so hush is here H take this car and go give it to the coffee shop and then coffee shop give him the coffee but don't you think
09:08
this is a fake one it's not given by Bob and maybe H can go to different cities all over the world and use the same card so how can you stop it it's very easy what if the manager gives a sign there maybe Bob or a manager or maybe a stamp
09:23
of that copy shop which you can get here and that St that stamp is important and if any c which not having stamp then you know that this is a fake one okay so this is how you can solve this and this thing which I got is called a token okay so I can gu this token every time now
09:40
question arise how would you represent this token in the data format we have different formats uh we can use XML so in the earlier days people used to use XML for this token now which I'm talking about this the virtual world client and server so when you got a client when you got the server when they want to
09:56
exchange a token they will exchange a token with XML form but the problem with XML is it is very bulky and even if you want to encode it the output will also be bulky and that's why we have to go for a smaller format so we got the alternative there and the alternative is
10:12
Json now Json stands for JavaScript object notation so you can represent your data in a small format and also you can encode it to make it become it more smaller so you can it is very easy to carry between the client and server it would be lightweight and that's where we
10:27
thought okay let's let's use Json and we are building some token and this will be used for web so in short this is called JWT which stands for Json web token in fact there's a website called JWT do. or
10:43
Ms you can go to any of this okay so what is Json so Json stands for Json web token our open industry standard RFC 7519 method for representating claims now what is claim so this data on this card is claim so I'm claiming to be N Ready I'm claiming that the issue date
11:00
is this the expire is this those are the claim I can uh transmit between two different parties the client and server and the beautiful thing about this is you can store your data in this format if you can see we got a data here right which is called a payload so whatever the car is that's a payload it will have
11:15
the name it will have uh the issuance time you can also have the expire time here so you can see this is the uh issuance time I can also add the expiry here colon with the same number but I will just modify something I will just patient here instead of three let's say
11:31
four any number it just doesn't matter so you can see this time is 18th Jan 209 2018 and 7 a.m. hopefully and this is what it's not able to interpret that this is Weir yeah so you can see this is 9:47 so we got 2 and a half hours of
11:49
session so this is the issu time this is the expired time that's how you can pass this apart from this you can also send a header so head header will have the algorithm so to build this uh token you can you can use some algorithms we have HS we got RS so HS basically is hmac RS
12:04
is basically RSA we also got es RSA and Es they are a symmetric cryptography they use public and private key and HS uses symmetric key now if you're not sure what these keys are I will give you a basic introduction but to know more
12:19
you can check out the video in the link a separate video on data signature and cryptography okay and then you you specify those things algorithm and the type which is which is dot here which is DW and you will also give a signature remember Bob or the manager will give a signature and you can use that to verify
12:36
this is valid but then you don't have to send all this data from client to server server to client what you send is this encoded format a short format okay so when you say you're exchanging between client and server you send this so that means every time now you don't have to
12:51
maintain session so let's go back here with this original client server so now every time you want to access a resource let's say you want to a resource for students what you do is you send a request for the students SL students but then you also send the token now how you
13:07
got the token when you logged in for the first time what you receed from server to client is JWT the token and every time you go to the server and if you say hey I want students and server says who are you you can say hey this is my jot I'm sending it with the the request
13:23
verify it and you will know who I am so that's how basically uh jot works now uh when you talk about the signature basically you can use different algorithms right so we have something called cryptography so what you do is uh you send a plain text right now instead of sending a Plaine text you can send a cipher text you encrypt it and then of
13:40
course you can use a key there to encrypt and decrypt U if you use a different key for encryption decryption that's called a symmetric where you have a private key public key but then let's say if you want to achieve data signature you can use these two keys to achieve data sign as well again how you can find the link in description check
13:56
that video it's very important and you will get to know how data signature works and by doing this by doing jot you're not actually achieving secrecy what you achieving is accountability that means if you see a stamp on a card you know that this this is valid anyone
14:12
can read the card uh it's not like you are stopping someone from reading this card because you're sending the data on the internet right so you're sending the jot with the login request of course anyone can see that uh you can also encrypt it you can use https instead of HTTP so by default we are using HTTP
14:28
here uh you can use https to secure your token as well but the main reason for using dat is not secrecy it's accountability but yeah you can also achieve seq as I mentioned so that's it about why jot and what is jot how do we
14:44
implement this let's see in the next video