Lazy Hacker

The basic sequence of getting tokens is as follows: A client sends a username/password combination to the server. The server validates the authentication. If authentication is successful, the server creates a JWT token and refresh token else establishes an error response. On successful authentication, the client gets a JWT token in the response body and a refresh token in the cookie with all cookie protection flags like (httpOnly, secure=true, and SameSite=strict flag [whenever possible to prevent CSRF]). The client stores the access token in-memory. It means that you put this access token in a variable in your front-end site (like const accessToken = xyz). Yes, this means that the access token will be gone if the user switches tabs or refreshes the site. That’s why we have the refresh token. We’re not putting this access token in localStorage or cookie via JavaScript because it’s easier for attackers to dump that data, making it more prone to be stolen via an XSS attack. We can also u

What is JWT? JWT token is a base64url encoded string that is used to transmit the information between server and client. JWT token mostly contains the user information which is used for authorization. JWT token can be sent through a URL, POST parameter, and HTTP header. The information that is sent by JWT is verified and trusted because it is digitally signed .  JWT token looks like: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ . SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c JWT token has three parts: https://jwt.io/ Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 {“alg”: “HS256”,”typ”: “JWT”} Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ {“sub”: “1234567890”,”name”: “John Doe”,”iat”: 1516239022} Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c HMACSHA256(base64UrlEncode(header) + “.” +base64UrlEncode(payload), your-secret) Uses of JWT token * Authorization: After successful auth

I was also confused while understanding both concepts, I thought that the Gmail/Facebook credentials that I used to login into abc.com is an OAuth concept but I was wrong. It is the OpenID concept that is working on the OAuth protocol.  So What is OAuth? OAuth = Open Authorization As the name suggests it is “Authorization” which means it’s related to some authorization concept. As the internet grows, the developer needs some concept so that “abc.com” can read the data from “anything.com” without giving the password of anything .com to the abc.com server. It helps in improving the user experience and also increases the business. Let’s explain an OAuth by a simple example: I am sure, we all have seen this type of concept, where we logged into an application (abc.com) by using abc.com credentials and after that, we get the option like import contacts from Gmail. When we click on that hyperlink, it redirects us to Gmail, where it asks for Gmail credentials, and after entering the credentia