API Authentication w/ Devise + JWT
Download
Report
Transcript API Authentication w/ Devise + JWT
API Authentication
w/ Devise + JWT
Why use JWT?
•
•
•
•
•
Compact
Self contained
Cookie free authentication
Mobile friendly
Popular Oauth alternative
How do they work?
•
•
•
•
Based on web standard rfc7519
Uses secrets to encrypt/decrypt payload
Consists of header, payload and signature
Base 64 encoded
JWT Structure
JWT Encoded
Workflow for JWT Auth
More info
• https://jwt.io/introduction/
JWT Gem
• Supports SHA-256, 384, 512
• Handles all encoding, encrypting/decrypting
• Clean interface for accessing JWT claims
Implementing in Rails
https://github.com/RohitRox/Rails-API-and-JWT
1.
2.
3.
4.
5.
6.
7.
8.
Scaffold up a Rails app. Add some resources to request.
Install Devise and JWT gems
Add a Devise user
Override the default Devise registration and sessions controllers
In your Application/Base controller add a filter to authenticate user
from JWT
Skip the filter wherever you don’t require authentication (at least in
registrations and sessions controllers!)
Add rack-cors gem to allow cross domain requests. Disable CSRF
by using skip_before_action :verify_authenticity_token
Make sure to load your secret key from ENV variables in prod
Resources
JWT + Rails API code example:
https://github.com/RohitRox/Rails-API-and-JWT
JWT + Rails demo app code:
https://github.com/jimjeffers/rails-devise-cors-jwt-example
Video walkthrough of using JWT, Rails, Devise:
https://www.youtube.com/watch?v=_CAq-F2icp4
How JWT works:
http://www.toptal.com/web/cookie-free-authentication-with-json-webtokens-an-example-in-laravel-and-angularjs