Adding Authorization with JWTs

Previously, we created an application that allows us to log in and return the logged-in user. However, if we want to use the login in any API, we’ll have to create an authorization mechanism. This mechanism should enable the users of the API to authenticate, get a token, and use that token to identify themselves and access resources.

We’re doing this as we want to close part of the application’s routes so that they’re only available to authenticated users.

We’ll develop what’s needed to integrate with token authentication by using JSON Web Tokens (JWTs), which is pretty much a standard in APIs nowadays.

If you are not familiar with JWTs, here’s an explanation from jwt.io:

“JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.”

They’re mainly used when we want our clients to connect to an authentication service, and then provide the servers with the ability to verify if that authentication was issued by a trusted service.

The link https://jwt.io/introduction/ explains what this standard is all about. Make sure to give it a read.

In this lesson, and due to the scope of this course, we won’t implement the whole logic to generate and validate JWTs.

What we’ll do here is integrate our current application with a module that has functions for generating and validating JWTs, which is what matters for our application. Then, we’ll use that token to decide whether we’re letting the user access the museums route.