Me On IT
Published on

On the Way to Digital Identity: JSON Web Tokens

Authors

This blog now has a protected area. To create it, I really broke a sweat, because the journey was long. Briefly I want to report about it.

I had already explained in a previous blog entry, the importance of signatures in Web3: Signatures prove that one possesses a certain blockchain address. This opens up the vast field of digital identities. Those who can digitally sign, exist as an independent personality on the internet.

I'm fascinated by this. So much so, that I set out to explore how this might look in the (hopefully near) future. What is technically possible today -- and why haven't digital distributed identities already turned the world upside down?

On this journey of discovery, I quickly encountered questions of interoperability: Web3 and Blockchain are still only accessible to a few people today. Most people are not interested in what's behind it. For them, it is a suspect technology that they do not trust, and that is too complicated and not future-proof. These people want to use internet services the way they have been used to for a long time.

Only when Web3 technology becomes interoperable will it experience widespread acceptance.

Interoperability led me to JSON Web Tokens. JSON Web Tokens (JWTs) are an open and widespread standard for secure data exchange between two parties that trust each other.

A JWT is therefore a small encrypted data packet that contains a validity period, as well as additional information in JSON format, which is called PayLoad. This PayLoad should describe the data to be exchanged.

The JWT can be used as a browser cookie. Or it can be transmitted in the Authorization Header of an HTTP request. Thus, they represent a simple and comparatively secure method to transmit data on the Internet, which should not be accessible to everyone at all times.

Back to this blog: My question had been whether I could make a part of my blog visible only to an authorized user group. Additionally, I wanted to enable authorization for certain protected files that could be downloaded from my blog: Only with certain permissions should it be possible to download such files.

Ethereum addresses and the signatures created with them are to be used for authentication. A JWT can be obtained only if one provides a valid Ethereum address and a signature.

Thus we have a bridge between Web3 and Web2 -- that is, between the blockchain world and the classic Internet: Owning an Ethereum-Address becomes equavilant to owning a specific JWT. Subsequently:

By giving you an Ethereum address, I give you an identity that can be transferred securely between different parties on the internet.

That is the core of a digital identity.

Now you are free from certain providers. You can act self-determined and independently on the Internet. Not Google or Amazon decide who you are, but you yourself with your Ethereum address.

That sounds promising, doesn't it? -- For me, it was so fascinating that I spent a long time trying to find at least a small part of a concrete implementation. However, I am aware that I cannot solve questions that are so significant and ultimately affect all people.

But I can at least open a door a crack. If then a beam of light falls on the floor in front of my feet, I will say: Now it's gradually becoming clearer ...

Well then! The door handle is pressed. In the next post, the technician in me will reappear ... 😀...