1
00:00:00,620 --> 00:00:05,210
In the last video we were able to sign up for the very poor sign and get back a Jason Webb token.

2
00:00:05,280 --> 00:00:10,540
Now this right here is not exactly a Jason Webb token but it does kind of technically contain it.

3
00:00:10,590 --> 00:00:15,150
The value that we're actually looking at is that session object that we just set.

4
00:00:15,160 --> 00:00:18,360
So in other words this session object right here.

5
00:00:18,690 --> 00:00:25,930
They got turned into Jason and then base64 encoded so to actually get the Jason Webb token out of here.

6
00:00:25,950 --> 00:00:27,600
Got to do just a little bit of work.

7
00:00:27,660 --> 00:00:32,040
Well let's go through just one time just to make sure it's all crystal clear so I can take that value

8
00:00:32,040 --> 00:00:33,860
right there.

9
00:00:33,980 --> 00:00:39,530
I'm going to copy it and then going to go over to my browser and I'm going to go to a Web site called

10
00:00:39,590 --> 00:00:43,250
base 60 for decode dot org.

11
00:00:43,250 --> 00:00:49,010
This is a little tool that can take a base 64 string and then plate reader see me decode it into plain

12
00:00:49,070 --> 00:01:00,230
UTF 8 so paste in that whole string I'll hit DECODE AND THERE IT IS OUR Jason object right there you'll

13
00:01:00,230 --> 00:01:06,410
see that we do have in fact that JWT property and inside that string that is the actual honest to God

14
00:01:06,440 --> 00:01:10,750
Jason web token let's play round with that string a little bit too.

15
00:01:10,870 --> 00:01:16,330
I'm going to take just the Jason Webb token I'm going to copy it and I'll go to yet another Web site

16
00:01:16,870 --> 00:01:23,080
called JWT dot Io This is a Web site just to help raise awareness of Jason Webb tokens and how they

17
00:01:23,080 --> 00:01:28,540
work if you come to JWT to IO and then scroll down a little bit there's a little tool that you can use

18
00:01:28,750 --> 00:01:29,590
to take a look at.

19
00:01:29,590 --> 00:01:35,380
Jason what tokens and just make sure that they are actually properly encoded see the information side

20
00:01:35,380 --> 00:01:42,550
them and all that stuff so going to take the Jason Webb token and put it in on the left hand side then

21
00:01:42,550 --> 00:01:45,790
go to the right hand side and down here inside a verified signature.

22
00:01:45,910 --> 00:01:50,380
We're going to put in the signing key that we wrote into our code just a moment ago.

23
00:01:50,380 --> 00:01:55,970
So for me it was simply a SDF don't put in right here SDF.

24
00:01:56,280 --> 00:01:59,190
As soon as I do so you'll see that says signature verified.

25
00:01:59,250 --> 00:02:02,280
So that is the proof that this is a valid token.

26
00:02:02,280 --> 00:02:06,330
If some malicious user came along and tried to change the information side of here.

27
00:02:06,510 --> 00:02:10,020
So let's say they changed essentially anything inside of here.

28
00:02:10,080 --> 00:02:15,330
So I'm going to go ahead delete a character all of sudden it is no longer a valid token.

29
00:02:15,330 --> 00:02:21,960
We tried to we tried to verify that this was a valid token using that signing signature of a SDF and

30
00:02:21,970 --> 00:02:26,370
note it failed to check which would be assigned to you and I as developers that someone has messed around

31
00:02:26,370 --> 00:02:32,450
with this thing and we should no longer trust it as soon as I put in the valid token once again the

32
00:02:32,450 --> 00:02:36,170
whole thing is valid you'll notice it on the right hand side.

33
00:02:36,260 --> 00:02:41,810
We cannot see the payload inside of here very easily just you know you can see this payload even if

34
00:02:42,200 --> 00:02:47,840
we have a invalid token or you don't need that signing that signing string right there we can delete

35
00:02:47,840 --> 00:02:53,350
that entirely and we can still see all the information inside this payload just fine.

36
00:02:53,360 --> 00:02:58,250
Remember with the Jason Webb token anyone can see the information inside of it and it is the fact that

37
00:02:58,250 --> 00:03:03,420
we can verify that no one has messed around with this information that actually makes it significant.

38
00:03:03,680 --> 00:03:05,410
We can see the I.D. of the user.

39
00:03:05,450 --> 00:03:10,640
We can see their email and then IATA right here is the issued at time that's when the Jason Webb token

40
00:03:10,640 --> 00:03:13,250
was actually created.

41
00:03:13,370 --> 00:03:16,670
So that all looks pretty good now.

42
00:03:16,720 --> 00:03:21,700
Quick diagram this want to expand on that signing key it just a little bit.

43
00:03:21,850 --> 00:03:26,950
So we took the payload we took these signing key and we tossed them into our Jason Webb token library

44
00:03:27,230 --> 00:03:32,350
and that spat out our actual Jason Webb token any time that we are going to receive this Jason Webb

45
00:03:32,350 --> 00:03:37,900
token inside of another service when we need to see whether or not it is a valid token to decide whether

46
00:03:37,900 --> 00:03:39,860
or not this user is actually logged in.

47
00:03:39,970 --> 00:03:44,950
That means that those other services are going to need to get access to that signing key is it's only

48
00:03:44,950 --> 00:03:51,270
with that signing key that we can make sure that a token is actually valid.

49
00:03:51,310 --> 00:03:55,840
Now the downside here we're essentially talking about sharing this signing key with all these other

50
00:03:55,840 --> 00:04:01,870
services if anyone ever got access to that signing key they could easily manufacture their own tokens

51
00:04:02,050 --> 00:04:04,730
that our application would think are valid.

52
00:04:04,870 --> 00:04:09,970
So we essentially need to share the signing key with all of our other services but we need to make sure

53
00:04:09,970 --> 00:04:12,530
that no one else gets their hands on it.

54
00:04:12,550 --> 00:04:18,370
So as you'd guess writing out that signing key in plain text as we are doing right here is not appropriate

55
00:04:18,400 --> 00:04:19,270
at all.

56
00:04:19,330 --> 00:04:24,130
At no point time unless we are in a development environment just messing around a little bit do we want

57
00:04:24,130 --> 00:04:26,660
to write out that signing key in plain text.

58
00:04:26,710 --> 00:04:33,340
So we need to figure out some way to extract that signing key store it securely somehow within our overall

59
00:04:33,340 --> 00:04:38,740
application and we need to make sure that we can easily share that exact signing key with everything

60
00:04:38,860 --> 00:04:39,910
inside of our app.

61
00:04:39,940 --> 00:04:45,920
So all the other different services that are going to eventually receive a Jason web token so this really

62
00:04:45,920 --> 00:04:49,000
comes down to a challenge with Docker and Cuban settings.

63
00:04:49,040 --> 00:04:50,070
Let's take a pause right here.

64
00:04:50,090 --> 00:04:54,380
When come back the next video we're going gonna figure out how we can securely share information about

65
00:04:54,440 --> 00:04:55,640
all of our different services.