JWT - techniq/wiki GitHub Wiki

Quick decode payload of token

var token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NhbXBsZXMuYXV0aDAuY29tLyIsInN1YiI6ImZhY2Vib29rfDEwMTU0Mjg3MDI3NTEwMzAyIiwiYXVkIjoiQlVJSlNXOXg2MHNJSEJ3OEtkOUVtQ2JqOGVESUZ4REMiLCJleHAiOjE0MTIyMzQ3MzAsImlhdCI6MTQxMjE5ODczMH0.7M5sAV50fF1-_h9qVbdSgqAnXVF7mz3I6RjS6JiH0H8';
var payload = JSON.parse(atob(token.split('.')[1]))

• Base64 polyfill (IE<10) for window.atob and window.btoa
• For a better implementation, use auth0/jwt-decode

Token expiry

new Date(JSON.parse(atob(localStorage.access_token.split('.')[1])).exp * 1000)

Curl examples

Simple login (probably returns JSON with "token" property)

curl -i -X POST -d username=test -d password=test "http://localhost:8080/auth/login"

Send token in request

curl -i -X POST -H "Authorization: bearer JWT_TOKEN" "http://localhost:8080/api/v1/restricted"

Helpful site

http://jwt.io/

Libraries

• auth0/jwt-decode
• pose/webcrypto-jwt
  • Decodes, verifies, and signs using W3C Web Cryptography (window.crypto.subtle)
  • http://caniuse.com/#feat=cryptography
  • window.crypto polyfill - Netflix/NfWebCrypto
• koajs/jwt
• jwt-dotnet/jwt
• michaelnoonan/Auth0-Owin-JwtBearerAuthentication
• auth0/angular-jwt

Reference

• Understanding JWT
• Where to Store Your JWTs - Cookies vs HTML5 Web Storage
• JSON Web Tokens vs. Session Cookies: In Practice
• 10 Things You Should Know about Tokens
• What the heck is JWT anyway?
• Creating And Validating JWT Tokens In ASP.NET Core
• Implementing JWT Authentication in ASP.NET Core 5
• Make secure .NET Microservices and Web Applications

PKCE

• https://github.com/auth0/spa-pkce
• https://github.com/aaronpk/pkce-vanilla-js
• https://github.com/auth0/auth0-spa-js
• https://github.com/BitySA/oauth2-auth-code-pkce
• https://github.com/scottbrady91/AspNetCore.Pkce
• https://github.com/openid/AppAuth-JS