Skip to content

Authentication

For authentication, we are currently using JWT (OAuth2 + JWT). JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Example of how JWT is used:

  1. Authentication: A user logs in to a web application and the application generates a JWT that contains the user's information, such as their name and email address. The JWT is then sent to the user's browser and stored in a cookie or local storage. The user can then make requests to the server and include the JWT in the headers of those requests. The server can then verify the JWT and authenticate the user based on the information it contains.

  2. API Authorization: An application makes requests to a third-party API and includes a JWT in the headers of those requests. The API can then verify the JWT and authorize the application based on the information it contains.

  3. Single Sign-On (SSO): A user logs in to one application and is then able to access other applications without having to log in again. A JWT is generated when the user logs in to the first application and is then passed to the other applications. The other applications can then verify the JWT and authenticate the user based on the information it contains.

  4. Information Exchange: Two systems need to exchange information securely and independently. They can use a JWT to pass the information between them, where one system can encrypt the JWT and the other system can decrypt it.