I'm new using JWT and flask-jwt so I run the example where I find in docs. I read this to get a better understanding of JWT.
But now I wonder how I should handle more than one token? I mean, a user post his credentials to "myserver/auth" and then return a token to a client. When the client send a new request he should sent the token.
My question is how I know what "token" belongs which user and where "tokens" are stored?
JWTs consist of three parts separated by dots (.), which are:
Therefore, a JWT typically looks like the following.
xxxxx.yyyyy.zzzzz
Let's see a brief summary according to RFC and this
Header
The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm such as HMAC SHA256 or RSA.
{
"alg": "HS256",
"typ": "JWT"
}
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. This is the interesting part because inside the token we can check which your belongs. { "userid": "1234567890", "expiration_date": "2016-05-129" }
When we generate a new token we can specify the data will payload contains so we can add userid to identify a user and expiration_date to check if is time to ask for a new one.
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message was’t changed in the way.
We should keep our secret key in server side, hence, we can decrypt a valid payload and check which user belongs. In this way we are free to avoid store tokens, because every token store itself enough data to validate our users.
The process to generate a renewed token is the same, so the client side should ask for a renew service(HTTP request like www.myhost.com/renew) and send the old token to generate the new one. Remember you can check what user belongs that token hence the renew token should contains the same payload but with different expiration date.
We can use JWT with more strategies like single sign-on to ensure only one user with same credentials is logged at same time.