JSON Web Token (abbreviation JWT)

Others 2020-03-28 11:31:46 views: null

JSON Web Token (abbreviation JWT) is the most popular cross-domain authentication solutions, this article describes how it works and usage.

Cross-domain authentication problems

Internet services can not do without user authentication. Usually this process is the following.

  1. User sends the username and password to the server.

  2. After the server is verified, in the current session (session) which holds the relevant data, such as user roles, login time, and so on.

  3. Session_id a server returns to the user, the user writes the Cookie.

  4. The user then every request will by Cookie, the session_id back to the server.

  5. Server receives session_id, find pre-stored data, therefore represents the user's identity.

The problem with this model is that, scalability (scaling) is not good. Stand-alone course, no problem, if it is a cluster of servers, or cross-domain service-oriented architecture, it requires data sharing session, each server can read the session.

For example, A and B sites sites are associated with a company's service. Now it requires, as long as the user in which a website login, and then visit another website will automatically log in, ask how to achieve?

One solution is to session data persistence, written to the database or other persistence layer. Various services receipt of the request, all requested data to the persistence layer. The advantage of this approach is obvious structure, the disadvantage is larger than engineering. Further, in case of hanging persistence, will single point of failure.

Another option is simply the server does not save session data, and all data is stored in the client, each request back to the server. JWT is a representative of this program.

JWT principle

JWT principle is, after authentication server generates a JSON object back to the user, like this below.

{
  "姓名": "张三",
  "角色": "管理员",
  "到期时间": "2018年7月1日0点0分"
}

Later, the user and server communication when should send back the JSON object. Server completely rely on the object identified user. To prevent users from tampering with data, the server when generating the object, will add a signature (more on this later).

The server does not save any session data, and that is, become a stateless server, and thus relatively easy to achieve expansion.

JWT is a long string, separated into three sections by a dot (.). Note that the internal JWT is no line breaks, and here only to facilitate display, it will be written in a few lines.

JWT sequentially three parts as follows.

  • Header (head)
  • Payload (load)
  • Signature (Signed)

Written in a row, it is the following way.

Header.Payload.Signature
Header

Header section is a JSON object, metadata describing the JWT generally like the following.

{
  "alg": "HS256",
  "typ": "JWT"
}

Above code, alg property indicates the signature algorithm (algorithm), default HMAC SHA256 (written HS256); typ attribute indicates the token (token) type (type), JWT token unified written as JWT.

Finally, the above object using JSON Base64URL algorithm (more on this later) translated into strings.

Payload

Payload is part of a JSON object, used to store the actual data transfer is required. JWT provides for seven official field for the selection.

iss (issuer):签发人
exp (expiration time):过期时间
sub (subject):主题
aud (audience):受众
nbf (Not Before):生效时间
iat (Issued At):签发时间
jti (JWT ID):编号

In addition to the official field, you can also define a private field in this section, the following is an example.

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Note, JWT default is not encrypted, anyone can read, so do not put confidential information in this section.

The JSON object should use Base64URL algorithm translated into strings.

Signature

Signature is a signature part of the first two parts, prevent data tampering.

First, you need to specify a key (secret). The key is to know only the server can not be disclosed to the user. Then, using the signature algorithm specified inside Header (default HMAC SHA256), generating a signature in accordance with the following equation.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

After calculating the signature, the Header, Payload, Signature makes up a string of three parts, (.) Separated by a "point" between each section can be returned to the user.

Base64URL

Mentioned, Header and Payload of type string algorithm Base64URL. This algorithm Base64 algorithm with essentially similar, but there are some small differences.

JWT as a token (token), a situation that may put some URL (such as api.example.com/?token=xxx). There are three characters Base64 +, /, and =, which have a special meaning in the URL, it is to be replaced: = is omitted, replaced + - / _ replaced. This is Base64URL algorithm.

JWT's use

JWT client receives the server returns, which can be stored in Cookie, can also be stored in localStorage.

Thereafter, each time the client and server communications, must bring the JWT. You can put it inside Cookie sent automatically, but this can not be cross-domain, so a better approach is to put Authorization header field of the HTTP request inside.

Authorization: Bearer <token>

Another approach is that when cross-domain, JWT POST request to the data volume on the inside.

JWT several features

  1. JWT default are not encrypted, but also can be encrypted. After generating the original Token, it can be re-encrypted with a key once.

  2. JWT case without encryption, secret data can not be written to JWT.

  3. JWT not only can be used for authentication, it can also be used to exchange information. Effective use of JWT, the number of server queries the database can be reduced.

  4. JWT biggest drawback is that, because the server does not save session state, a token can not be abolished in the course of, or change the permissions of the token. That is, once issued JWT, will remain in effect until maturity, unless the server to deploy additional logic.

  5. JWT itself contains authentication information, when disclosed, anyone can get all the permissions of the token. To reduce theft, JWT's validity should be set relatively short. For some of the more important rights, should once again to authenticate the user during use.

  6. To reduce theft, JWT should not use the HTTP protocol transmission codes, to use the HTTPS protocol.

LU_ZHAO
Published 273 original articles · won praise 13 · views 70000 +
Private letter concerns

Guess you like

Origin blog.csdn.net/LU_ZHAO/article/details/105156841
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com