There are generally 5 ways for user authentication
- HTTP Basic authentication adds fields to
the HTTP header when sending a request, and uses the encoded username and password as the value. The username and password must be sent each time a request is sent, which is relatively simple to implement.authentication
Base64
- Cookies
send the user name and password to the background. After the user name and password are verified, the returned credentials are savedCookie
as the user's logged-in credentials. Each request is accompanied by thisCookie
- The Signatures
user gets the private key given by the server. Before sending the request, the entire request is encrypted with the private key, and a string of encrypted information will be sent. This method is only applicable to API - One-Time Passwords One-
time password, use a different password each time you log in, generally the server sends the password to the user by email, this login method is cumbersome - The JSON Web Token
user sends according to the agreement, sendsHeader
,Payload
and to the serverSignature
, and includes the authentication information (password), after the verification is passed, the server returns onetoken
, and then the user uses thistoken
as the login credential, which is suitable for mobile terminals and apis
Because of the separation of front and back ends, most of the current backends only provide the data part and generally use the JSON
format, so it JSON Web Token
is a more popular authentication method.
JWT
Compared with other authentication methods, the authentication method has the following advantages:
- Information can be encrypted with HMAC or RSA, and the information security is high
- The generated ciphertext is short, and the ciphertext can contain all user information, authentication expiration time or user rights and other custom information
- Suitable for authentication for mobile applications and single-page applications
- Flexible use, once obtained
JWT
, it can be sent by POST or by adding it to the HTTP header
JWT structure
JWT
Contains 3 parts
- Header
- Payload
- Signature
Header
1 2 3 4 |
{ "alg": "HS256", "typ": "JWT" } |
JWT
The header is fixed, and alg
the meaning of the algorithm indicates JWT
which algorithm is used for encryption. typ
Field values are fixedJWT
Payload
1 2 3 4 5 |
{ "sub": "1234567890", "name": "John Doe", "admin": true } |
The payload part is the specific authentication information. By modifying the content of this part, the authentication information such as user rights is controlled. Except for some reserved fields exp
(expiration time), aud
, iss
etc., the usage method is the same as normal Json.
Signature
The signature, that is, the key, is used to ensure the security strength of the ciphertext
以上3部分都经过Base64Url处理后用.
分隔再使用HMAC SHA256
或RSA
加密为一段字符串
1 2 3 4 |
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) |
具体的使用在JWT.IO上有演示
JWT使用流程
客户端POST用户名和密码到服务端,若对安全要求较高可以是加密后的用户名或密码,服务端把拿到的用户名和密码与数据库中的对比,若相同则按照上面的流程生成JWT
,然后返回客户端。在此之后客户端的所有请求,可以在Authorization HTTP头或POST数据中附带得到的JWT
。服务端验证JWT
并解析出Payload部分,以此来判断用户的权限。
JWT
的使用方法很简单,就拿node.js的包node-jsonwebtoken
来说加密和验证就两个函数jwt.sign
,jwt.verify
并且jwt.io中提供了很多语言的JWT
包。