Authorization with JSON Web Token allows you to complete authentication and authorization with your login and password once, obtain an access JWT token, and use the token for all further requests.
The token contains all the information the server needs about the user, removing the need for repeated authentication.
You can refresh your knowledge about JWT format here.
Access Token proves that the user has permission to access a resource. Access tokens usually have a short lifespan — about 5 to 15 minutes.
Refresh Token is used to enhance security and user convenience. Refresh tokens typically last for several months and allow the user to obtain a new access token without re-entering credentials.
Here’s how the process looks step-by-step:
Step 1. The client enters login/password and receives access and refresh tokens
Step 2. The client uses the access token to access protected resources
Step 3. When the access token expires, the client sends the refresh token and receives a new token pair
Earlier we learned how to send a request with a header Authorization with type Basic Auth for transmitting a login/password pair.
When sending a JWT token, you need to select the header Authorization with type Bearer Tokenand paste the server-provided token into the Token field.
The header will look like this:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJ1c2VyIiwicm9sZSI6IlRFU1QiLCJleHAiOjE3MTYyMzkwMjJ9.
wnZZUqYlOX_WAKjrcaMUdM_JyalzHsRwNfRu74wKPR8
A JWT token remains valid until its expiration time.
To check the token’s expiration, decode it (for example, on jwt.io) and compare the value in the exp field in payload with the current time. If the value is smaller, the token has expired.
The exp field uses Unix Time, which is the number of seconds since January 1, 1970.
You can use online converters to make Unix Time easier to read.
Only modifying the data in the token along with generating a new signature will make the token valid.
Modifying the data without re-signing the token may be used as a negative test scenario for verifying the server's signature check, or in test environments where signature validation is disabled—for example, to extend the token's lifetime.
Modify and copy only the Payload part in JSON format
Tokens issued by the server should always be protected by a signature which ensures the integrity of the token data and prevents tampering. In the task, we'll see what happens when the server forgets to verify the token.
Уровень повышен!
