1. Session+Cookie
traditional Web authentication method. Need to solve the problem of session sharing and cross-domain requests.
2. JWT
JSON Web Token.
3. OAuth
supports two-party and three-party authentication. It is a widely used security authentication method, but it is not suitable for authentication methods that do not use third-party login.
2. Introduction to
JWT JWT consists of three parts, including Header, Payload and Signature.
The Web the Token Example the JSON:
.
EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 eyJpc3MiOiJ0b3B0YWwuY29tIiwiZXhwIjoxNDI2NDIwODAwLCJodHRwOi8vdG9wdGFsLmNvbS9qd3RfY2xhaW1zL2lzX2FkbWluIjp0cnVlLCJjb21wYW55IjoiVG9wdGFsIiwiYXdlc29tZSI6dHJ1ZX0.
YRQYnWzskCZUxPwaQupWkiUzKELZ49eM7oWxAQK_ZXw
Example Header:
{
"ALG": "HS256", "Typ"
: "the JWT"
}
through encrypted obtained: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
generally Payload comprises the following aspects:
iss: The issuer of the token
sub: The subject of the token
aud: The audience of the token
exp: Token expiration time defined in Unix time
nbf: “Not before” time that identifies the time before which the JWT must not be accepted for processing
iat: “Issued at” time, in Unix time, at which the token was issued
jti: JWT ID claim provides a unique identifier for the JWT
Example Payload:
{
“iss”: “toptal.com”,
“exp”: 1426420800,
“https://www.toptal.com/jwt_claims/is_admin”: true,
“company”: “Toptal”,
“awesome”: true
}
通过加密后得到:
eyJpc3MiOiJ0b3B0YWwuY29tIiwiZXhwIjoxNDI2NDIwODAwLCJodHRwOi8vdG9wdGFsLmNvbS9qd3RfY2xhaW1zL2lzX2FkbWluIjp0cnVlLCJjb21wYW55IjoiVG9wdGFsIiwiYXdlc Generate the signature by signing the key pair J1ZHeader and PayJ1ZHeader
: Advantages of JWT: Stateless, can be extended infinitely horizontally Reusable, can be used in multi-language, multi-platform and multi-domain High security, because no cookies are used, it can prevent cross-site request forgery (CSRF) attacks Good performance , only verify the token and parse its content 3. Implementation of JWT authentication method 1. The client does not need to hold the key, and the server generates the Token through the key. 2. When the client logs in, it uses the account and password to authenticate to the server. After the authentication is passed, the server generates a Token through the key it holds. The Token generally contains the expiration time and the user's unique identifier, such as the user ID, and the server returns the Token. to the client. 3. The client saves the Token returned by the server. 4. When the client makes a business request, the Token is placed in the Authorization field of the Head, such as: Authorization: Bearer Token 5. The server verifies the requested Token and checks whether the Token exists through Redis, mainly to solve the user logout. But the Token is still within the time limit. If the Token exists in Redis, it means that the user has been logged out; if the Token does not exist, the verification is passed.
6. The server can verify the relevant permissions through the user's unique ID obtained from the Token, and assign the user ID to the request parameters, and the business can be processed through this user ID.
7. When the user logs out, the server needs to save the Token that is still within the validity period in Redis, and set the correct expiration time.
Fourth, how to use JWT in the actual environment
1.Web application Refresh the token before
the token expires. For example, if the expiration time of the token is set to one week, every time the user opens the web application, the server generates a new token every hour. If users haven't opened the app for more than a week, they'll have to log in again.
2. Mobile applications
Most mobile application users log in only once, and periodically refreshing the token can keep users from logging in for a long time.
But if the user's phone is lost, a way is provided for the user to decide which device's token to revoke. Of course, this requires the server to record the name of the device, such as "maryo's iPad". The user can then go to apply and revoke getting "maryo's iPad". When the user changes the password, the server needs to save the original Token to Redis to make it invalid.
In order to prevent Token from being stolen, it is best to use JWT and HTTPS in combination.
V. How to realize the combination of security authentication and authority
The Token generated by the server needs to contain the user's unique ID, so that when the user makes a business request, the server obtains the user's unique ID through the attached Token, and uses this ID to check the permissions.
6. Replace Token
In order to solve the problem of replacing the Token during high concurrent access, it may cause the access to the old Token to fail. The Token is not stored in the cache, but a count is stored. Each time the Token is changed, the count is incremented by 1. The value of this count will be encrypted with the user ID and stored in the newly generated Token, and returned to the user. Each time the user accesses when carrying this Token. When verifying the user's Token, compare the count in the Token with the count stored in the cache. If the difference is between 1 and 2, the Token is considered valid. In this way, even if the Token is replaced during concurrent access, the count value is not equal, but Within the specified difference range, it is also considered valid, which solves the above Token invalidation problem.
7. Appendix
https://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs
http://stackoverflow.com/questions/ 26739167/jwt-json-web-token-automatic-prolongation-of-expiration
http://www.haomou.net/2014/08/13/2014_web_token/
https://jwt.io/