Introduction to JWT
JWT (json web token) is a JSON-based open standard for transferring claims between web application environments.
JWT claims are generally used to transfer authenticated user identity information between identity providers and service providers in order to obtain resources from resource servers. For example, it is used for user login.
Session-based login authentication
In the traditional user login authentication, because http is stateless, the session method is used. If the user logs in successfully, the server will guarantee a session, and of course will give the client a sessionId, the client will save the sessionId in a cookie, and each request will carry this sessionId.
The cookie+session mode is usually stored in memory, and the session sharing problem that the service will face from single service to multi-service, as the number of users increases, the overhead will increase. This is not the case with JWT, only the server needs to generate a token, the client saves this token, and each request carries this token, and the server can authenticate and parse it.
How the JWT looks after generating the Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmciOiLku4rml6XlpLTmnaEiLCJuYW1lIjoiRnJlZeeggeWGnCIsImV4cCI6MTUxNDM1NjEwMywiaWF0IjoxNTE0MzU2MDQzLCJhZ2UiOiIyOCJ9.49UF72vSkj-sA4aHHiYN5eoZ9Nb4w5Vb45PsLF7x_NY
Composition of JWT
The first part we call it the header (header), the second part we call it the payload (payload), the third part is the visa (signature).
header
The header of jwt carries two parts of information:
-
Declare type, here is jwt
-
The algorithm that declares encryption usually uses HMAC SHA256 directly
The full header looks like the following JSON:
{
“typ”: “JWT”,
“alg”: “HS256”
}
Then the header is base64 encrypted (this encryption can be decrypted symmetrically), forming the first part:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
playload
The payload is where the valid information is stored. The name seems to refer to the cargo carried on the plane, and these valid information consists of three parts
-
Declaration registered in the standard
-
public statement
-
private statement
Claims registered in the standard (recommended but not mandatory):
-
iss: jwt issuer
-
sub: users for jwt
-
aud: the party receiving the jwt
-
exp: the expiration time of jwt, which must be greater than the issuance time
-
nbf: Defines before what time the jwt is unavailable.
-
iat: issue time of jwt
-
jti: The unique identifier of jwt, which is mainly used as a one-time token to avoid replay attacks.
public declaration:
The public statement can add any information, generally add user-related information or other necessary information for business needs. But it is not recommended to add sensitive information, because this part can be decrypted on the client side.
Private declaration:
The private statement is a statement jointly defined by the provider and the consumer. Generally, it is not recommended to store sensitive information, because base64 is symmetric decryption, which means that this part of the information can be classified as plaintext information.
Define a payload:
{
"name": "Free Code Farmer",
“age”:”28”,
"org": "Today's Toutiao"
}
It is then base64 encrypted to get the second part of the Jwt:
eyJvcmciOiLku4rml6XlpLTmnaEiLCJuYW1lIjoiRnJlZeeggeWGnCIsImV4cCI6MTUxNDM1NjEwMywiaWF0IjoxNTE0MzU2MDQzLCJhZ2UiOiIyOCJ9
signature
The third part of jwt is a visa information, which consists of three parts:
-
header (after base64)
-
payload (after base64)
-
secret
This part requires the use of the base64-encrypted header and the base64-encrypted payload. The string formed by concatenation is then encrypted by the encryption method declared in the header with the salted secret combination, which then constitutes the third part of jwt:
49UF72vSkj-sA4aHHiYN5eoZ9Nb4w5Vb45PsLF7x_NY
The secret key is stored on the server, and the server will generate a token and verify it based on this key, so it needs to be protected.
Implementation in java
Maven
<dependency><groupId>com.auth0</groupId><artifactId>java-jwt</artifactId><version>3.1.0</version></dependency>
Encryption and verification code:
Test code:
Code output result:
It can be clearly seen that the first time the generated Token is used to verify, the verification is passed, and the information contained in the Token is output. The second time the verification method is called with an expired Token, an exception is thrown directly, indicating that the Token information has expired.
JWT summary
1. Because of the versatility of json, JWT can be supported across languages, such as JAVA, JavaScript, NodeJS, PHP and many other languages.
2. In the payload part, JWT can store some non-sensitive information necessary for other business logic in itself.
3. Easy to transmit, the composition of jwt is very simple, and the byte occupancy is very small, so it is very easy to transmit. It does not need to save session information on the server side, so it is easy to apply extensions
Introduction to JWT
JWT (json web token) is a JSON-based open standard for transferring claims between web application environments.
JWT claims are generally used to transfer authenticated user identity information between identity providers and service providers in order to obtain resources from resource servers. For example, it is used for user login.
Session-based login authentication
In the traditional user login authentication, because http is stateless, the session method is used. If the user logs in successfully, the server will guarantee a session, and of course will give the client a sessionId, the client will save the sessionId in a cookie, and each request will carry this sessionId.
The cookie+session mode is usually stored in memory, and the session sharing problem that the service will face from single service to multi-service, as the number of users increases, the overhead will increase. This is not the case with JWT, only the server needs to generate a token, the client saves this token, and each request carries this token, and the server can authenticate and parse it.
How the JWT looks after generating the Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmciOiLku4rml6XlpLTmnaEiLCJuYW1lIjoiRnJlZeeggeWGnCIsImV4cCI6MTUxNDM1NjEwMywiaWF0IjoxNTE0MzU2MDQzLCJhZ2UiOiIyOCJ9.49UF72vSkj-sA4aHHiYN5eoZ9Nb4w5Vb45PsLF7x_NY
Composition of JWT
The first part we call it the header (header), the second part we call it the payload (payload), the third part is the visa (signature).
header
The header of jwt carries two parts of information:
-
Declare type, here is jwt
-
The algorithm that declares encryption usually uses HMAC SHA256 directly
The full header looks like the following JSON:
{
“typ”: “JWT”,
“alg”: “HS256”
}
Then the header is base64 encrypted (this encryption can be decrypted symmetrically), forming the first part:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
playload
The payload is where the valid information is stored. The name seems to refer to the cargo carried on the plane, and these valid information consists of three parts
-
Declaration registered in the standard
-
public statement
-
private statement
Claims registered in the standard (recommended but not mandatory):
-
iss: jwt issuer
-
sub: users for jwt
-
aud: the party receiving the jwt
-
exp: the expiration time of jwt, which must be greater than the issuance time
-
nbf: Defines before what time the jwt is unavailable.
-
iat: issue time of jwt
-
jti: The unique identifier of jwt, which is mainly used as a one-time token to avoid replay attacks.
public declaration:
The public statement can add any information, generally add user-related information or other necessary information for business needs. But it is not recommended to add sensitive information, because this part can be decrypted on the client side.
Private declaration:
The private statement is a statement jointly defined by the provider and the consumer. Generally, it is not recommended to store sensitive information, because base64 is symmetric decryption, which means that this part of the information can be classified as plaintext information.
Define a payload:
{
"name": "Free Code Farmer",
“age”:”28”,
"org": "Today's Toutiao"
}
It is then base64 encrypted to get the second part of the Jwt:
eyJvcmciOiLku4rml6XlpLTmnaEiLCJuYW1lIjoiRnJlZeeggeWGnCIsImV4cCI6MTUxNDM1NjEwMywiaWF0IjoxNTE0MzU2MDQzLCJhZ2UiOiIyOCJ9
signature
The third part of jwt is a visa information, which consists of three parts:
-
header (after base64)
-
payload (after base64)
-
secret
This part requires the use of the base64-encrypted header and the base64-encrypted payload. The string formed by concatenation is then encrypted by the encryption method declared in the header with the salted secret combination, which then constitutes the third part of jwt:
49UF72vSkj-sA4aHHiYN5eoZ9Nb4w5Vb45PsLF7x_NY
The secret key is stored on the server, and the server will generate a token and verify it based on this key, so it needs to be protected.
Implementation in java
Maven
<dependency><groupId>com.auth0</groupId><artifactId>java-jwt</artifactId><version>3.1.0</version></dependency>
Encryption and verification code:
Test code:
Code output result:
It can be clearly seen that the first time the generated Token is used to verify, the verification is passed, and the information contained in the Token is output. The second time the verification method is called with an expired Token, an exception is thrown directly, indicating that the Token information has expired.
JWT summary
1. Because of the versatility of json, JWT can be supported across languages, such as JAVA, JavaScript, NodeJS, PHP and many other languages.
2. In the payload part, JWT can store some non-sensitive information necessary for other business logic in itself.
3. Easy to transmit, the composition of jwt is very simple, and the byte occupancy is very small, so it is very easy to transmit. It does not need to save session information on the server side, so it is easy to apply extensions