JWT (JSON Web Token)

Introduction to JSON Web Tokens

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

When should you use JSON Web Tokens?

Here are some scenarios where JSON Web Tokens are useful:

Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

What is the Structure of JSON Web Tokens?

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

Header
Payload
Signature


          Therefore, a JWT typically looks like the following.

header.payload.signature

Let's break down the different parts.

Header:

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload:

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. The payload is then Base64Url encoded to form the second part of the JWT.


        Set JSON Claims for the JWT with the following parameters:


Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

For example if you want to use the RS 256 algorithm, the signature will be created in the following way:



The output is three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments. The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret.



Comments

  1. Nathan DuferenceOctober 16, 2020 at 5:04 PM

    Thank you for sharing such useful information. I really enjoyed while reading your article and it is good to know the latest updates. Do post more. And also read about leadingSalesforce Service Cloud Consultant

    ReplyDelete

Post a Comment

Popular posts from this blog

Communicating between Independent LWC in Omniscript

Image
This is a simple example that shows a button that, when clicked, publishes a message. This shows how two separate custom LWCs can communicate with each other inside of an OmniScript. Below is the overall design using the Pub/Sub model. So, lets get started! Step 1: Create a LWC component and use below code to fire events with parameters to pass an omniscript and component to Community Page. Below is the HTML and JS code for reference. SampleLWCComponent.html < template > < lightning-button label = "Send Event" onclick = {handleClick} ></ lightning-button > </ template > SampleLWCComponent.js import { LightningElement } from 'lwc' ; import pubsub from 'vlocity_ins/pubsub' ; export default class SampleLWCComponent extends LightningElement { handleClick ( e ){ let accId = '0015g00000gWY8VAAW' ; pubsub . fire ( "handlePubSubEventChange" , "result" , { "accId" : ac...
Read more

Server-Side Document Generation

Image
Document Generation                  With Document Generation , you can generate contracts, proposals, quotes, reports, non-disclosure agreements, service agreements, and so on. Client-side document generation  requires a user interaction and generates documents using an OmniScript. Salesforce provides sample OmniScripts and Integration Procedures that you can use and customize to implement these capabilities. Server-side document generation   typically doesn’t require user interaction. Instead, a backend server processes requests to generate documents. Let’s examine the differences between client-side and server-side document generation.   Client-Side Document Generation  ...
Read more

Reusable Code in OmniScript - Lightning Web Components

Lightning Web Components are great for breaking down layouts and interfaces into small, reusable pieces. Step 1: Create Lightning Web Component BaseComponent is via a BaseComponent folder in the standard LWC folder of a SFDX project. Export and Import Inside baseComponent.js, we can define reusable functions and export them for use in other components. In the example below, I define a function called convertToArray and export it BaseComponent import { LightningElement } from 'lwc' ; import { OmniscriptBaseMixin } from 'vlocity_cmt/omniscriptBaseMixin' ; export default class BaseComponent extends OmniscriptBaseMixin ( LightningElement ) { } export function convertToArray ( obj ) { if ( obj instanceof Array ) { return obj ; } else { return [ obj ]; } } Child Component import { LightningElement , api , track } from 'lwc' ; import { OmniscriptBaseMixin } from 'vlocity_cmt/omniscriptBaseMixin' ; ...
Read more