1
00:00:01,970 --> 00:00:06,290
Well we've had a couple of different videos on authentication and we've now established that we want

2
00:00:06,290 --> 00:00:11,120
to go with fundamental option number two where we're going to make sure that each service understands

3
00:00:11,150 --> 00:00:15,620
what authentication is and how to determine whether or not someone is logged in.

4
00:00:15,620 --> 00:00:19,820
Now in all these different videos over here on the left hand side we've been saying that we were going

5
00:00:19,820 --> 00:00:25,520
to have some requests to do something and the authentication mechanism was going to be a Jason web token

6
00:00:25,580 --> 00:00:27,970
a cookie or something very similar.

7
00:00:27,980 --> 00:00:32,750
So now in this video and the next couple we're going to establish exactly how we are going to prove

8
00:00:32,750 --> 00:00:34,440
that a user is authenticated.

9
00:00:34,490 --> 00:00:38,210
In other words are we using Jason web tokens or using cookies or what.

10
00:00:38,930 --> 00:00:44,090
Well firstly I want to do is establish the difference between Jason Webb tokens and cookies.

11
00:00:44,090 --> 00:00:46,900
I'm going to kind of assume that you're vaguely familiar with both these.

12
00:00:46,900 --> 00:00:49,060
So I'm really just going to give you a quick reminder.

13
00:00:49,100 --> 00:00:51,880
Most importantly biggest thing I want you to understand here.

14
00:00:51,920 --> 00:00:57,120
The biggest thing I want you to recall is that Jason Webb tokens and cookies are not the same thing.

15
00:00:57,140 --> 00:01:00,710
They are not equivalent by any stretch of the imagination.

16
00:01:00,710 --> 00:01:05,000
Let's take a look at a series of diagrams and just get a quick reminder on what he cookie is and what

17
00:01:05,000 --> 00:01:12,010
a Jason Webb token is and how they are similar in how they are different will first begin with cookies.

18
00:01:12,010 --> 00:01:17,470
So we're going to imagine that we've got some browser making a request over to some server when the

19
00:01:17,470 --> 00:01:24,100
server sends a response backwards the browser it can optionally include a header of set cookie and then

20
00:01:24,100 --> 00:01:27,670
for that set cookie header it can provide some kind of value.

21
00:01:27,970 --> 00:01:33,530
This value right here can be a string that contains any information that we want now a little piece

22
00:01:33,530 --> 00:01:37,720
of information is then going to be automatically stored inside of the browser.

23
00:01:37,940 --> 00:01:44,420
Then whenever this browser makes a follow up request to the same domain with the same port the browser

24
00:01:44,420 --> 00:01:48,860
is going to make sure that it takes that little piece of information right there and appends it onto

25
00:01:48,860 --> 00:01:51,590
the request as a cookie header.

26
00:01:51,650 --> 00:01:56,990
So there's that little piece of information right there it'll be automatically sent over to the server.

27
00:01:57,090 --> 00:02:02,940
The key things to understand here around this cookie approach or this idea of saving some cookie is

28
00:02:02,940 --> 00:02:07,860
that at some arbitrary piece of information doesn't really matter what this information is is it can

29
00:02:07,860 --> 00:02:13,380
be anything we possibly can think of that piece of information will be automatically stored by the browser

30
00:02:13,770 --> 00:02:15,460
and automatically sent to the server.

31
00:02:15,470 --> 00:02:21,480
Anytime we make a follow up request those are the key things to remember about cookies in general.

32
00:02:21,490 --> 00:02:26,490
Now off to Jason web tokens remember with a Jason web token.

33
00:02:26,490 --> 00:02:31,730
We're going to take some arbitrary piece of information that we refer to as the payload so this can

34
00:02:31,730 --> 00:02:37,430
be some kind of object that has maybe a user I.D. a favorite color just about any information we can

35
00:02:37,430 --> 00:02:38,330
possibly think of.

36
00:02:39,170 --> 00:02:44,480
We're then going to take that payload and throw it into a js on web token creation algorithm.

37
00:02:44,480 --> 00:02:46,790
It's then going to spit out our Jason Webb token.

38
00:02:46,880 --> 00:02:53,620
It looks like an encoded string like this right here or some kind of token stored inside this thing.

39
00:02:53,620 --> 00:02:55,600
Is that original payload.

40
00:02:55,600 --> 00:03:01,690
We can very easily take that string right there throw it into some kind of decoding algorithm and extract

41
00:03:01,690 --> 00:03:03,170
the original object.

42
00:03:03,340 --> 00:03:09,130
So at any point time we can always access the information that is stored inside the token once we have

43
00:03:09,130 --> 00:03:09,950
this token.

44
00:03:10,030 --> 00:03:14,090
We eventually do need to communicate it between the browser and the server.

45
00:03:14,110 --> 00:03:18,850
There are a couple of different methods so we can do or use to actually do this communication.

46
00:03:18,850 --> 00:03:23,440
So whenever the browser makes requests the server is going to want to include that data on a Web token

47
00:03:23,560 --> 00:03:28,840
in one way or another so that the browser can prove that it is authenticated or it is logged in with

48
00:03:28,840 --> 00:03:35,040
this particular server to communicate that token over some very common approaches are to include an

49
00:03:35,070 --> 00:03:39,120
authorization header that has the Jason Webb token inside of it.

50
00:03:39,270 --> 00:03:44,910
We can just throw the entire token inside the body of a request assuming that it is a post request or

51
00:03:44,910 --> 00:03:52,290
a put or a delete and so on or alternatively we can also kind of mix and match here and take that Jason

52
00:03:52,290 --> 00:03:56,100
Webb token and store it inside of a cookie as well.

53
00:03:56,100 --> 00:04:01,600
So the Jason Webb token will be managed automatically by the browser included on all follow up requests.

54
00:04:02,790 --> 00:04:02,990
All right.

55
00:04:03,000 --> 00:04:07,790
So just to recap what we have recovered or recalled inside this video.

56
00:04:08,070 --> 00:04:13,120
Differences between cookies and Jason Webb tokens cookies are a transport mechanism.

57
00:04:13,200 --> 00:04:18,180
They're a way of communicating information between the server and the browser and they do not necessarily

58
00:04:18,180 --> 00:04:21,600
do anything loosely coupled to authorization.

59
00:04:21,780 --> 00:04:26,970
We use them for authorization but that's not necessarily the primary purpose of the primary goal of

60
00:04:26,970 --> 00:04:27,210
them.

61
00:04:27,210 --> 00:04:32,500
It's not the only thing they can do we can use cookies to move any kind of data between the browser

62
00:04:32,500 --> 00:04:35,590
and the server so it doesn't have to be authentication related stuff.

63
00:04:35,590 --> 00:04:37,330
It can be tracking information.

64
00:04:37,420 --> 00:04:45,150
It can be some kind of visit counter just about any kind of data we can easily store inside that cookie.

65
00:04:45,280 --> 00:04:48,290
And then finally cookies are automatically managed by the browser.

66
00:04:48,340 --> 00:04:53,080
You and I as developers specifically on the browser side of things don't really have to worry about

67
00:04:53,080 --> 00:04:56,090
managing and managing them in any way shape or form.

68
00:04:56,110 --> 00:05:00,700
All you and I have to do on the server is set a cookie and then we can be pretty much guaranteed that

69
00:05:00,700 --> 00:05:07,770
will always come back in all full up requests Jason Webb tokens on the other hand are all about authentication

70
00:05:07,830 --> 00:05:09,100
and authorization.

71
00:05:09,150 --> 00:05:15,150
That is what they are intended to serve inside of a J somewhat token we can store any form or structure

72
00:05:15,150 --> 00:05:16,170
of data that we want.

73
00:05:16,170 --> 00:05:21,810
So it's traditionally going to be an object with some number of key value pairs and then Jason Webb

74
00:05:21,810 --> 00:05:26,940
tokens have to be managed manually by you and I as developers on the front end unless we are storing

75
00:05:26,940 --> 00:05:30,490
that Jason Webb token inside of a cookie all right.

76
00:05:30,490 --> 00:05:35,220
So now that we've established difference between these again I just want you to recall that back inside

77
00:05:35,220 --> 00:05:40,260
this diagram where we said well yeah our authentication thing is a Jason Webb token or a cookie.

78
00:05:40,350 --> 00:05:45,400
It's kind of misleading to make these things sound equivalent because they are two very different things.

79
00:05:45,400 --> 00:05:47,760
The cookie is just a transport mechanism.

80
00:05:47,850 --> 00:05:50,640
It's something that's going to hold information.

81
00:05:50,640 --> 00:05:52,020
It can be any kind of information.

82
00:05:52,020 --> 00:05:54,780
It's not necessarily tied to authentication.

83
00:05:54,780 --> 00:06:01,310
Jason will tokens on the other hand traditionally only use always used for authentication and authorization.

84
00:06:01,370 --> 00:06:01,610
All right.

85
00:06:01,640 --> 00:06:03,680
And we've established the difference here.

86
00:06:03,740 --> 00:06:09,980
We need to take a deeper look at both these things and decide based on some pros and cons which one

87
00:06:09,980 --> 00:06:16,880
is more appropriate or which approach or combination of the two is most appropriate for handling authentication

88
00:06:16,880 --> 00:06:19,550
inside of a micro services architecture.

89
00:06:19,550 --> 00:06:20,960
Let's take care of that in just a moment.