SSO and JWT

Tue 1 Nov 2022

SSO is a great oppertunity for companies to centralize their authentication and authorization system. If done right then you can make your systems more secure and easier to manage. We've exactly done this and I've been brushing up my knowledge on SSO and JWT's. I already knew what they where but before we used a completly outsourced platform to manage these. You only get limited exposure to these when it's implemented like that.

JWT's is an amazing machanism to share a small payload between server and client. Most SSO solutions will use JWT's after the user has been authenticated. They are composed of a Payload, Header and Signature. The payload contains the information you want to share. This could contain virtually anything. The header contains information about what algo to use. Then there is the signature. The signature is created by using a secret only known to the server plus the payload.

This creates a sharable piece of information that the server will be able to reevaluate and trust when it matches the signature. The reevaluation will fail when something changes in either the header, payload or signature.

This is why SSO platforms use this mechanism to share a small payload after they've authenticated the user. They can quickly reevaluate and check if the user is supposed to be authorized. The official website has a fun tool that demonstrates how this works. You can check that out to play with an example and get to know how this mechanism works.

There are platforms that completly take SSO out of your hands and offer this as SaaS. When this is done you hardly know the mechanics that drive such platforms. It was a fun learning experience for me. Everything that involves encryption peaks my interest and you get to learn that something like JWT is simple, strong and well thought through. I love it when you learn something like that.

That said, if you have SSO somewhere in your digital landscape and not yet know how this works than it might be worthwhile to check out the following blog. The author does an awesome job of explaining how it works.