Скачать или смотреть Working with JWTs in Python

In this video, Jose Haro Peralta explains how to work with JWTs in Python.

Chapters:
0:00 What are JSON Web Tokens (JWTs)?
2:29 ID tokens and access tokens
3:14 Types of claims in a JWT
4:22 Signing algorithms for JWTs
4:50 Setting up the environment and installing dependencies
5:42 Producing a JWT with the HS256 algorithm
7:50 Producing a JWT with the RS256 algorithm
9:42 Generating a X.509 signing certificate
10:21 Signing a JWT with a private key
12:38 Validating JWTs with Python
16:05 JWT validation errors
17:18 Wrapping up

JWTs are JSON documents which contain claims. We distinguish two types of JWTs: ID tokens and access tokens.

ID tokens are tokens which carry identifying information about a user, such as their name, username, email, date of birth, and other details. You should NEVER use an ID token to validate access to an API.

Access tokens are tokens which contain claims about the right of a user to access an API or a resource. These are the tokens that we must use to validate access to an API.

The standard claims of an access token are:

• iss (issuer): identifies the authorization server that issued the JWT.
• sub (subject): identifies the subject of the JWT, i.e. the user sending the request to the server.
• aud (audience): indicates the recipient for which the JWT is intended. This is our API server.
• exp (expiration time): when the JWT expires.
• nbf (not before time): time before which the JWT must not be accepted.
• iat (issued at time): when the JWT was issued.
• jti (JWT ID): a unique identifier for the JWT.

JWTs are commonly signed using the HS256 and the RS256 algorithms. HS256 uses a secret to encrypt the token, while RS256 uses a private/public key to sign the token. We use this information to apply the right algorithm to verify the token’s signature.

In the video, I demonstrate how to produce and validate JWTs using PyJWT (https://github.com/jpadilla/pyjwt). To generate a token using PyJWT, we use the following function:

jwt.encode(payload=payload, key='secret', algorithm=’HS256')

I also use Python's cryptography library (https://github.com/pyca/cryptography) to load the token's signing certificates.

Some of the articles and websites mentioned in the video are:
The RFC "JSON Web Token (JWT)" (https://datatracker.ietf.org/doc/html.... This is the reference for everything you want to know about JWTs.
https://jwt.io. This website is great for inspecting and validating JWTs.
The RFC "The Base16, Base32, and Base64 Data Encodings" (https://datatracker.ietf.org/doc/html.... This RFC describes how base encoding works, including base64url encoding, which is the type of encoding used for JWTs.
JWT claims website: https://www.iana.org/assignments/jwt/.... This website contains the list of all standard claims you can find in JWTs.

To learn more about JWTs, I also recommend Prabath Siriwardena's "JWT, JWS and JWE for Not So Dummies! (Part I)" (https://medium.facilelogin.com/jwt-jw....

The code for this tutorial is available in GitHub: https://github.com/abunuwas/jwt-pytho....

In case you're unable to generate the signing certificates with the openssl command as shown in the video, the repo includes an example of private and public keys.

If you liked this video, please like it and share it with your network! You can also subscribe to my channel! All this goes a long way to supporting me to continue creating this kind of content.

I'm also the author of Microservice APIs with Examples in Python. It's a book dedicated to explaining how to design and build microservices and APIs, with examples in Python. If you're interested in the book, you can get a copy through this link: http://mng.bz/jy4x. Feel free to use the following code to get a 40% discount: slperalta.

You can also download two chapters of the book for free from this link: https://www.microapis.io/resources/mi...

Please let me know in the comments if you liked this video and whether you found it useful. Let me know also what other kinds of topics you'd like me to address in future videos!