The most commonly used user authentication in mainstream front-end and back-end separation projects is currently the most popular cross-domain authentication solution --- JWT (JSON WEB TOKEN)
1. Working principle of JWT
Illustration:
User information is saved in the client browser in the form of Token strings.
The server authenticates the user's identity by parsing the form of the Token string.
2. Composition of JWT
JWT usually consists of three parts, namely Header (head), Payload (payload), and Signature (signature).
The three are separated by "." in English, and the format is as follows:
The Payload part is the real user information, which is a string generated after the user information is encrypted.
Header and Signature are security-related parts, just to ensure the security of Token.
3. Operation process
First, the browser client collects the account number and password and stores them in the HTTP request body and initiates a login request to the backend server
The server receives the request, obtains the account number and password in the HTTP request body and sends them to the database to verify whether the user and password are correct
After the server verification is successful, the server will generate the user's token string according to the user's information and return the token string to the client browser through the HTTP response body
After the client obtains the Token string through the HTTP response body, it can be stored in the browser client, such as in Cookie or LocalStorage
After successful login, the client needs to bring the Token stored in the client browser every time it requests resources from the back-end server. Generally, the token string is sent to the back-end server by mounting the Authorization attribute in the HTTP request header.
When the backend server receives the request, it will first intercept the request and verify the Token in the client request header. If the verification is successful, it will return the requested data to the client. If the token is not carried or the token is invalid, it will send the requested data to the client. Return http401 status code
4. Advantages and disadvantages
advantage:
- There is no need to save session information on the server side, and the server's storage pressure is not large
- The Payload in JWT can store commonly used information for information exchange. Effective use of JWT can reduce the number of times the server queries the database
shortcoming:
- Encryption issues: JWT is not encrypted by default, but it can also be encrypted. After the original Token is generated, it can be encrypted again with the key.
- Expiration problem: Since the server does not save the state, it is impossible to revoke a Token or change the permissions of the Token during use. That is, once a JWT is issued, it will remain valid until it expires, unless the server deploys additional logic.