JSON Web Tokens are a great way of ensuring trust and authenticity between two parties on the internet. These are especially useful if you wish to provide a way for your clients to continue using their existing login credentials for every service that you intend to use within your application.
Ably Realtime just released the official support for JWT auth as a subset of its existing Token Auth mechanism.
Let me break it down a little bit to help you understand how JWT exactly works in conjunction with Ably.
How to use JWT with Ably
JWT can be used with Ably for authentication in two different ways:
1. Ably JWT — signed JWT generated using the API key
With Ably JWT, you have an auth server that is responsible for authenticating your users based on some custom login information that is specific to your application. As seen above, when a client sends the login credentials to your auth server, your server would verify these credentials and if correct, generate a JSON Web Token by signing it with a private Ably API key. In this case, the API key is known to your auth server and the Ably platform only, the client does not have access to this data.
Similar to the standard Token Auth mechanism in Ably, a JWT token can be used to limit the capabilities given to specific clients in terms of what operations they are allowed to do on Ably’s realtime platform such as publish-only, subscribe-only, etc.
The JWT itself is made up of three entities: header, payload and signature.
- A JWT header generally contains information about the type of token (JWT in this case) as well as the hashing algorithm used.
- The payload consists of the actual application API key that’s obtained from the Ably dashboard for each application. This payload data is generally referred to as ‘claims’.
- Finally, the signature, can be either symmetric or asymmetric as described below.
Symmetric Signatures allow your auth server to create a token using the API key, similar to the general token auth. The difference being, they do not need to make a separate token request to Ably. Since, Ably already has the API key, it verifies the JWT after decoding it using the same hashing algorithm that was used by your auth server and considers the request authentic if the keys match.
Asymmetric Signatures are similar in terms of their working as the symmetric signatures. However, in this case your auth server would use a private key to create the token. This feature is currently not available in Ably. However, if your business explicitly requires using asymmetric signatures for JWT auth with Ably, get in touch with us and we’d be happy to help!
Currently Ably JWT supports the HS256 hashing algorithm to be used by your auth server to sign the JSON Web Tokens.
2. Embedding an Ably token in an existing JWT
The second way to use JWT i Ably is by embedding an Ably token in an existing JWT that your auth server might already be using to provide authentication to your clients. This way, your auth server does not have to pass a separate Ably token.
Getting started with JWT in Ably
To start using JWT authentication with Ably, visit the JWT documentation on the website, or follow a tutorial to get started quickly.
If you are new to JWT, I highly recommend reading this awesome article - “5 easy steps to understand JWT”.
Thoughts? Comments? Feel free to comment here or ping me on Twitter in case of any queries :) My DMs are open!