Article Directory
1. What is JWT?
Json web token (JWT), is an open standard based on JSON ((RFC 7519) that is implemented to pass claims between web application environments. It defines a concise, self-contained method for communication between two parties The form of JSON object can safely transmit information. Because of the existence of digital signature, the information is trustworthy. JWT can use HMAC algorithm or RSA public and private key pair to sign.
2. When to use JWT?
Authorization (authorization) : This is the most common scenario for using JWT. Once the user logs in, each subsequent request will contain the JWT, allowing the user to access the routes, services, and resources allowed by the token. Single sign-on is a feature of JWT that is now widely used because it has a small overhead and can be easily used across domains.
Information Exchange : JSON Web Tokens are undoubtedly a good way to transfer information between parties safely. Because JWTs can be signed, for example, with public/private key pairs, you can be sure that the sender is who they say they are. In addition, since the signature is calculated using the header and payload, you can also verify that the content has not been tampered with.
3. JWT request process (flow chart is extremely important)
4. The structure of JWT
The java web token information is composed of three parts
1. Header: (The header of the JWT carries two parts of information: the token type and the encryption algorithm used.)
2. Payload: the payload
3. Signature: The signature
JWT is composed of three pieces of information, and these three pieces of information text are used. The link together constitutes a JWT string
similar to the following:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9labIiYrYJTAW4gRG9labIiYrYJTAW4iOnRydVAQFoRmf30FtFtZSI6IkpvaG4gRG9labIiwirYJTAW4iOnRydVAF30
4.1 (Part One) header (information)
The header of the JWT carries two parts of information: the type of token and the encoding algorithm used.
{
"alg": "HS256",
"typ": "JWT"
}
Declaration type: here is
the algorithm of jwt declaration encoding: usually directly use HMAC SHA256
4.2 (Part 2) payload
The information stored in the load generally has three parts
- Declaration registered in the standard
- Public statement
- Private statement
4.2.1 Standard registration statement (recommended, but not required)
| Types of | Description |
|---|---|
| iss | Issuer of jwt |
| sub | Target users |
| aud | The party that accepts jwt |
| exp | Expiration timestamp (the expiration time must be greater than the current time) |
| boy | jwt issuance time |
| jti | The unique identifier of jwt, mainly used as a one-time token to avoid replay attacks |
4.2.2 Public statement
The public statement can add any information, generally add user related information or other necessary information required by the business. However, it is not recommended to add sensitive information, because this part can be decrypted on the client.
4.2.3 Private declaration
A private statement is a statement jointly defined by the provider and the consumer. It is generally not recommended to store sensitive information, because base64 is symmetrically decrypted, which means that this part of the information can be classified as plaintext information.
4.3 (Part Three) Signature
The third part of jwt is a visa information. This visa information consists of three parts:
header (after base64)
payload (after base64)
secret
This part requires base64 encrypted header and base64 encrypted payload. Connection is composed of The string is then encrypted with a secret (key ) combination through the encryption method declared in the header , and then constitutes the third part of jwt.
The secret key is stored on the server, and the server will generate and verify the token based on this key, so it needs to be protected.