Introduction to JWT
Before introducing JWT, let's take a look at the traditional method of verifying tokens, as shown in the following figure:
Problem:
The problem with the traditional authorization method is that every time a user requests a resource service, the resource service needs to carry a token to access the authentication service to verify the legitimacy of the token, and
obtain user-related information based on the token, resulting in low performance.
Solution:
The idea of using JWT is that the user will get a JWT token after passing the authentication. The JWT token already includes user-related information. The client only needs to carry the JWT to
access the resource service, and the resource service will complete the order by itself according to the algorithm agreed in advance. Card verification, no need to request the authentication service to complete the authorization every time.
The JWT token authorization process is as follows:
What are JWTs?
JSON Web Token(JWT)It is an open industry standard (RFC 7519), which defines a brief, self-contained protocol format for
transmitting JSON objects between two parties in communication, and the transmitted information can be verified and trusted after digital signature. JWT can be signed using HMAC algorithm or RSA public
key/private key pair to prevent tampering.
Official website: Standard: https://tools.ietf.org/html/rfc7519
Advantages of JWT tokens:
1. JWT is based on json, which is very convenient for parsing.
2. Rich content can be customized in the token, which is easy to expand.
3. Through asymmetric encryption algorithm and digital signature technology, JWT prevents tampering and has high security.
4. Resource services can use JWT to complete authorization without relying on authentication services.
Disadvantages:
1. The JWT token is longer and takes up a lot of storage space.
JWT token structure
Build a foundation for custom jwt tokens by learning the JWT token structure.
The JWT token consists of three parts, each part is separated by a dot (.), for example: xxxxx.yyyyy.zzzzz
Header
The header includes the type of token (i.e. JWT) and the hash algorithm used (such as HMAC SHA256 or RSA).
An example is as follows:
Below is the content of the Header section
{
"alg": "HS256",
"typ": "JWT"
}
Use Base64Url to encode the above content, and get a string that is the first part of the JWT token.
Payload
The second part is the load, and the content is also a json object. It is the place to store valid information. It can store the ready-made fields provided by jwt, such as: iss (issuer), exp (expiration timestamp), sub (user-oriented) etc. You can also customize fields.
This section is not recommended to store sensitive information, because this section can decode and restore the original content.
Finally, encode the second part of the payload with Base64Url to get a string that is the second part of the JWT token.
one example:
{
"sub": "1234567890",
"name": "456",
"admin": true
}
Signature
The third part is the signature, which is used to prevent the jwt content from being tampered with.
This part uses base64url to encode the first two parts. After encoding, use dots (.) to connect to form a string, and finally use the
signature algorithm declared in the header to sign.
one example:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
base64UrlEncode(header): The first part of the jwt token.
base64UrlEncode(payload): The second part of the jwt token.
secret: The secret key used for signing.