json web token used for?
-------------------------------------------------- ------------------------
1. JWT introduces
JSON web Token, referred to as JWT, which is essentially a token and a compact URL security method. It is passed between the two parties of the network communication.
Generally, it is placed in the authorization in the HTTP headers parameter, and the Bearer keyword and a space are added in front of the value. In addition, it can also be passed in the url and request body. (The transmission method is the same as the session)
quote
Comparison with session:
session :
The authentication of the user's next request. Generally speaking, the session is stored in the memory, and with the increase of authenticated users, the overhead of the server will increase significantly.
If the authentication record is stored in the memory, it means that the user must request the server next time, so as to obtain the authorized resources. In distributed applications, the load balancing is correspondingly limited. device capability.
quote
JWT
JWT is a complex implementation of a session (the (non-sensitive) data originally stored in the session is stored in the JWT).
Session only passes a sessionid,
and JWT can pass all possible information, written in the body.
It does not need to keep the user's authentication information or session information on the server side. This means that applications based on the token authentication mechanism do not need to consider which server the user logs in on, which facilitates application expansion. (The data originally stored in memory are all written to JWT for cross-domain transfer).
This token must be passed to the server in every request, and it should be stored in the request header. In addition, the server must support the CORS (Cross-Origin Resource Sharing) strategy. Generally, we can do this on the server. Access-Control -Allow-Origin: *
JWT is an alternative to cookie/session based authentication.
2. How is JWT encrypted and decrypted?
JWT consists of three parts. Linked with dots (".") in order: 1.header, 2.payload, 3.signature.
For example: aaaa.bbbbbb.cccc
header indicates the type and the algorithm used (plaintext encryption)
{
"alg": "HS256", // encryption algorithm
"typ": "JWT" // token type
} The
payload is a group of claims Value (where the real valid data is stored) (plaintext encryption) The
signature is the string that is encrypted by using the dot notation to connect the header and the payload, adding the secret key,
and then encrypting it with the encryption method specified in the header.
The signature generation equation:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Among them, only the server side has the secret, which ensures that only the server side will generate the same signature.
This acts as a verification.
Notice:
The secret is stored on the server side, and the issuance and generation of jwt is also performed on the server side. The secret is used for the issuance of jwt and the verification of jwt. Therefore, it is the private key of your server and should not be revealed in any scenario.
3. The relationship between OAuth2.0 and JWT
OAuth2.0 is an authorization communication protocol (every protocol has certain processes and steps: OAuth2.0 authentication process),
OAuth2.0 used in its authentication process token , which is in JWT format.
The authorization and acquisition process is as follows:
quote
Authorization part
1.
First, the server application (hereinafter referred to as "application") allows the user to send his user name and password to the server's interface through a Web form.
This process is generally an HTTP POST request. The recommended way is via SSL-encrypted transmission (https protocol), thus preventing sensitive information from being sniffed.
2.
Next, the application and database check the username and password.
After checking the user name and password successfully, perform the OAuth2.0 process verification.
Finally, the application uses the user's id (user_id in the figure) as an attribute of the JWT Payload
, performs Base64 encoding and splicing with the header and signs it to form a JWT. The JWT here is a string similar to lll.zzz.xxx.
Get part
3.
The application returns the JWT string to the user as part of the request cookie.
Note that the HttpOnly attribute must be used here to prevent cookies from being read by JavaScript, thereby avoiding cross-site scripting attacks (XSS attacks).
Before the cookie expires or is deleted, every time the user accesses the application, the application will receive a cookie containing jwt.
The application can then extract the JWT from the request.
4.
The application checks the validity of the JWT through a series of tasks.
For example, check whether the signature is correct; check whether the token has expired; check whether the recipient of the token is yourself (optional).
After the application confirms that the JWT is valid, the JWT performs Base64 decoding (which may have been completed in the previous step),
Then read the user's id value in the Payload, which is the user_id attribute. Here the user's id is 1025.
The application obtains the information of the user whose id is 1025 from the database, loads it into the memory, and performs a series of low-level logic initialization such as ORM.
-