1
00:00:00,970 --> 00:00:05,050
In this video we're going to get a better understanding of what a Jason Webb token is.

2
00:00:05,200 --> 00:00:09,640
A Jason Webb token is a string that proves that a user is who they say they are.

3
00:00:09,880 --> 00:00:13,840
Now just understanding that without any further explanation is a little bit challenging.

4
00:00:13,840 --> 00:00:18,550
So I want to first give you a quick analogy to help you understand why we're using a Jason Webb token

5
00:00:18,640 --> 00:00:20,440
and what its real goal is.

6
00:00:20,470 --> 00:00:26,350
So here's a quick analogy I want to consider what a driver's license in the United States does.

7
00:00:26,410 --> 00:00:31,930
Just so you know in the United States a driver's license is a small card a plastic card that has some

8
00:00:31,930 --> 00:00:37,150
identifying information about a person a driver's license is not used only to prove that you can drive

9
00:00:37,150 --> 00:00:37,870
a vehicle.

10
00:00:37,870 --> 00:00:40,500
But it's also used as a form of identification.

11
00:00:40,510 --> 00:00:45,130
So for example if you go to a bank and you need to prove that you are who you say you are that you can

12
00:00:45,130 --> 00:00:49,020
access your bank account the bank might ask you for your driver's license.

13
00:00:49,090 --> 00:00:53,590
They will then look at the driver's license look at your picture look at you and look at the name on

14
00:00:53,590 --> 00:00:55,170
the card as well and say OK.

15
00:00:55,180 --> 00:00:56,870
Clearly you are who you say you are.

16
00:00:57,010 --> 00:00:59,330
And then you can get access to your bank account.

17
00:00:59,410 --> 00:01:03,250
So I want examined some of different qualities that a driver's license has.

18
00:01:03,250 --> 00:01:07,870
So first off a driver's license can be used to prove that you are who you say you are.

19
00:01:07,930 --> 00:01:13,480
It has some identifying information about the person carrying the I.D. such as a picture a address a

20
00:01:13,480 --> 00:01:15,310
name and so on.

21
00:01:15,310 --> 00:01:20,890
Very critically the I.D. itself like that plastic card has some security measures to prove that it is

22
00:01:20,920 --> 00:01:28,450
a very real I.D. And it's not somehow produced maliciously or produced or edited or manipulated or something

23
00:01:28,450 --> 00:01:29,270
like that.

24
00:01:29,470 --> 00:01:33,870
In particular a driver's license in the state of California has some holograms on it.

25
00:01:33,970 --> 00:01:39,190
It also has a kind of hard to print little small picture of the person holding the card right there

26
00:01:39,610 --> 00:01:41,420
the signature over here on the left hand side.

27
00:01:41,440 --> 00:01:43,660
That's also kind of like raised lettering.

28
00:01:43,690 --> 00:01:46,800
So if you run your finger over it you can feel that lettering.

29
00:01:46,900 --> 00:01:51,100
And so all these different kind of special security features are really hard to fake.

30
00:01:51,190 --> 00:01:55,450
It is possible to fake you know you can't of course change the name of a card and you might be to pass

31
00:01:55,450 --> 00:01:56,440
it off as a real card.

32
00:01:56,450 --> 00:02:01,420
By the end of the day it is kind of hard to manufacturer a driver's license or make changes to an existing

33
00:02:01,420 --> 00:02:02,400
one.

34
00:02:02,680 --> 00:02:09,490
And it is those properties that allow us to use a driver's license as a somewhat secure form of identification.

35
00:02:09,490 --> 00:02:15,090
It's why you can use it to get access to say a bank account so at the end of the day when we make use

36
00:02:15,090 --> 00:02:20,280
of a driver's license we're taking some identifying information about a person and we are encoding it

37
00:02:20,340 --> 00:02:24,080
onto a plastic card and that card is really hard to produce.

38
00:02:24,120 --> 00:02:29,330
And it's very hard to modify and because of those different properties we can safely use it or you know

39
00:02:29,340 --> 00:02:36,330
kind of reasonably safely use it as a form of identification so a Jason web token is very similar to

40
00:02:36,360 --> 00:02:39,480
a driver's license with a Jason web token.

41
00:02:39,480 --> 00:02:43,040
We have a string that carry some identifying information.

42
00:02:43,290 --> 00:02:48,630
If you have this string like if a user has this string then we can use it to prove that that user is

43
00:02:48,630 --> 00:02:56,020
who they say they are a Jason web token is it created using a special key or essentially a string of

44
00:02:56,020 --> 00:03:02,140
characters that only our server knows and because of that because only our server has that key.

45
00:03:02,140 --> 00:03:06,510
It is impossible to create a new Jason web token that will work with our server.

46
00:03:06,580 --> 00:03:12,920
And it's also very challenging or impossible to make changes to an existing Jason web token.

47
00:03:12,950 --> 00:03:18,590
So again at Jason web token very similar to a driver's license it carries some information about a very

48
00:03:18,590 --> 00:03:19,730
specific person.

49
00:03:19,730 --> 00:03:23,710
And it's really hard to change or fake information inside there.

50
00:03:23,730 --> 00:03:28,460
Now to get a better idea of what a Jason web token is we're going to take a look at a little tool very

51
00:03:28,460 --> 00:03:29,220
quickly.

52
00:03:29,480 --> 00:03:35,340
You can open up a new browser tab and navigate to JWT dot Io okay.

53
00:03:35,370 --> 00:03:39,430
So once here we're going to scroll down a little bit and find this section right here.

54
00:03:39,540 --> 00:03:44,700
So the section inside of here that you and I really care about is this payload section the payload section

55
00:03:44,700 --> 00:03:49,530
represents some amount of data that we want to encode inside of our Jason web token.

56
00:03:49,560 --> 00:03:54,450
So if we were working with a driver's license the payload of a driver's license would really be like

57
00:03:54,660 --> 00:03:56,810
the name address and picture.

58
00:03:57,090 --> 00:03:59,870
It has some identifying information about the user.

59
00:04:00,000 --> 00:04:05,030
And that's what we can use that payload section right there for as well so inside of our application

60
00:04:05,240 --> 00:04:10,490
inside of our payload we're going to instead of placing all that information we're going to place the

61
00:04:10,550 --> 00:04:17,310
user I.D. of a particular user our user I.D. that we put inside of here is going to be the same I.D.

62
00:04:17,340 --> 00:04:22,380
that is assigned to a user record when it is created inside of our Mongo DB database.

63
00:04:22,380 --> 00:04:24,090
So here's my Mongo database.

64
00:04:24,090 --> 00:04:28,660
I have a I.D. property that was automatically generated for my user by Mongo.

65
00:04:28,980 --> 00:04:34,890
So that I.D. right there is unique to this user account the user account with that given email and that

66
00:04:34,890 --> 00:04:42,930
given password so we're gonna take that I.D. and stored inside of art payload property like so so the

67
00:04:42,930 --> 00:04:45,450
result of that is this Jason web token.

68
00:04:45,480 --> 00:04:48,050
This is the token right here on the left hand side.

69
00:04:48,300 --> 00:04:53,550
This stuff in purple is the encoded information so we can take this string right here.

70
00:04:53,550 --> 00:05:01,010
We can exchange it around and we can use this as some form of ID the information inside this token can

71
00:05:01,010 --> 00:05:03,110
be freely read by anybody.

72
00:05:03,110 --> 00:05:08,330
So this information right here anybody can take this token decode the information and see that user

73
00:05:08,330 --> 00:05:13,140
I.D. inside there but very critically no one can make changes to the token.

74
00:05:13,220 --> 00:05:17,600
So if anyone tries to change the information inside there we're going to know instantly.

75
00:05:17,600 --> 00:05:22,360
So it's very hard to modify an existing token or create a new one from scratch.

76
00:05:22,370 --> 00:05:26,840
So by just having this string of characters right here we can use it to prove that a user is who they

77
00:05:26,840 --> 00:05:31,480
say they are OK down here inside a verify signature.

78
00:05:31,520 --> 00:05:37,580
You'll also notice that there's something that called Your 255 or 256 bit secret so that's where we're

79
00:05:37,580 --> 00:05:40,960
going to put some little secret token that is unique to our server.

80
00:05:41,000 --> 00:05:44,930
And again that's what's going to make sure that nobody else can make a modification or a change to an

81
00:05:44,930 --> 00:05:46,910
existing token.

82
00:05:46,960 --> 00:05:47,190
All right.

83
00:05:47,200 --> 00:05:51,740
So we're going to use this entire system right here to make sure that a user is who they say they are.

84
00:05:51,880 --> 00:05:57,900
As we saw back in this diagram over here after a user signs in we're going to generate a Jason web token.

85
00:05:57,940 --> 00:06:02,770
And inside there we're going gonna put the user's I.D. We're then going to send that Jason web token

86
00:06:02,770 --> 00:06:08,020
back to the user's device and then we're going to require that that user includes that Jason Web token

87
00:06:08,020 --> 00:06:12,050
with any follow up request when the request is made to our API.

88
00:06:12,070 --> 00:06:13,720
We're going to take a look at that token.

89
00:06:13,720 --> 00:06:18,370
We're going to take a look at the user I.D. inside there and we're gonna say OK it looks like you are

90
00:06:18,370 --> 00:06:24,230
the user with I.D. so and so and so we will know exactly who is making that request.

91
00:06:24,280 --> 00:06:28,240
Now once again on repeat one last time because this is the really important thing that really trips

92
00:06:28,240 --> 00:06:33,510
people up you can not easily make changes to an existing Jason web token.

93
00:06:33,670 --> 00:06:39,820
The information site there is easily visible anyone with a token can see what that user ideas but you

94
00:06:39,820 --> 00:06:42,130
can't change it without that key.

95
00:06:42,130 --> 00:06:46,960
So as long as Aki is secret and we don't provide it with the outside world we can always trust that

96
00:06:46,990 --> 00:06:53,280
a Jason web token and the key or the information inside there is 100 percent legitimate.

97
00:06:53,400 --> 00:06:55,110
Very similar to a driver's license.

98
00:06:55,110 --> 00:06:59,030
It's really hard to change information inside that token.

99
00:06:59,040 --> 00:07:03,330
Okay so now that we've got a better idea of what a Jason Webb token is let's make sure that we produce

100
00:07:03,330 --> 00:07:08,820
one after user signs and then we'll send it back to them and they can use it to make some follow up

101
00:07:08,820 --> 00:07:09,470
request.

102
00:07:09,660 --> 00:07:11,550
So quick pause and I'll see you in just a minute.