Now that we have all the security flow, let's make the application actually secure, using <abbr title="JSON Web Tokens">JWT</abbr> tokens and secure password hashing.

This code is something you can actually use in your application, save the password hashes in your database, etc.

We are going to start from where we left in the previous chapter and increment it.

## About JWT

JWT means "JSON Web Tokens".

	github.com/fraugster/parquet-go v0.12.0
	github.com/go-ldap/ldap/v3 v3.4.8
	github.com/go-openapi/loads v0.22.0
	github.com/go-sql-driver/mysql v1.8.1
	github.com/gobwas/ws v1.4.0
	github.com/golang-jwt/jwt/v4 v4.5.0
	github.com/gomodule/redigo v1.9.2
	github.com/google/uuid v1.6.0
	github.com/inconshreveable/mousetrap v1.1.0
	github.com/json-iterator/go v1.1.12
	github.com/klauspost/compress v1.17.10

///

## Global view

First, let's quickly see the parts that change from the examples in the main **Tutorial - User Guide** for [OAuth2 with Password (and hashing), Bearer with JWT tokens](../../tutorial/security/oauth2-jwt.md){.internal-link target=_blank}. Now using OAuth2 scopes:

{* ../../docs_src/security/tutorial005_an_py310.py hl[5,9,13,47,65,106,108:116,122:125,129:135,140,156] *}

* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like Passlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.
* ...etc.

to-fastapi-and-vice-versa/ title: Tips on migrating from Flask to FastAPI and vice-versa - author: Ankit Anchlia author_link: https://linkedin.com/in/aanchlia21 link: https://hackernoon.com/explore-how-to-effectively-use-jwt-with-fastapi title: Explore How to Effectively Use JWT With FastAPI - author: Nicoló Lino author_link: https://www.nlino.com link: https://github.com/softwarebloat/python-tracing-demo title: Instrument FastAPI with OpenTelemetry tracing and visualize traces in Grafana Tempo....

github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=

/// tip | Dica

No próximo capítulo, você verá uma implementação realmente segura, com hash de senha e tokens <abbr title="JSON Web Tokens">JWT</abbr>.

Mas, por enquanto, vamos nos concentrar nos detalhes específicos de que precisamos.

///

//// tab | Python 3.10+

```Python hl_lines="87"
{!> ../../docs_src/security/tutorial003_an_py310.py!}

		// encountering this LDAP user.
		if _, ok := parentUserToCredsMap[cred.ParentUser]; !ok {
			// Try to find the ldapUsername for this
			// parentUser by extracting JWT claims
			var (
				jwtClaims *jwt.MapClaims
				err       error
			)

			if cred.SessionToken == "" {
				continue
			}

			if cred.IsServiceAccount() {

quarkus/integration-tests/smallrye-jwt-token-propagation/pom.xml
	quarkus/test-framework/security-jwt/pom.xml
	quarkus/test-framework/junit5/pom.xml
	quarkus/extensions/resteasy-classic/resteasy/runtime/pom.xml
	quarkus/extensions/resteasy-classic/resteasy-jackson/runtime/pom.xml
	quarkus/extensions/oidc-token-propagation/runtime/pom.xml
	quarkus/extensions/smallrye-jwt/runtime/pom.xml

    - Security:
      - tutorial/security/index.md
      - tutorial/security/first-steps.md
      - tutorial/security/get-current-user.md
      - tutorial/security/simple-oauth2.md
      - tutorial/security/oauth2-jwt.md
    - tutorial/middleware.md
    - tutorial/cors.md
    - tutorial/sql-databases.md
    - tutorial/bigger-applications.md
    - tutorial/background-tasks.md
    - tutorial/metadata.md