Foreword
In doing recently learned jwt api authentication of the standard protocol used for authentication medium is very suitable, just jwt.io have authoritative introduction to jwt on the site, where the use of the original browser machine translation, and then manual modification of some translation errors and streamline appropriate, reserved for future review.
What is JSON Web Token?
JSON Web Token (JWT) is an open standard ( the RFC 7519 ), which defines a compact and independent manner, as between the parties for the secure transmission of information JSON object. This information can be verified and trust through digital signatures. JWT can use use HMAC algorithm or using RSA or ECDSA public / private key pair for signing.
While JWT can be encrypted to provide confidentiality between the parties, but we are here to talk about the signature token. Signature token can verify the integrity of statements contained therein, is hidden encrypted token declaration of others. When using a signature token signing also demonstrates public / private key is only held by the private party to sign on its side.
When should you use JSON Web Token?
The following is a JSON Web Token useful in some scenarios:
Authorization : This is the most common use of JWT program. Once the user logs on, every subsequent request will contain the JWT, the user is allowed access token allows routing, services and resources. Single Sign On is a function of JWT now widely used because of its low overhead and can easily use (cross-domain) in a different domain name.
Information exchange : JSON Web Token is a good way to secure transmission of information between the parties. Because JWT can be signed, for example, using public / private key pair you can determine the authenticity of the sender. In addition, the use of header and payload signature calculation, you can verify that the content has not been tampered with.
What is JSON Web Token structure?
(.) In a compact form, JSON Web Tokens three parts separated by dots, which are the:
- Header (head)
- Payload (load)
- Signature (Signed)
Thus, JWT shown generally as follows.
xxxxx.yyyyy.zzzzzLet's break down the different parts.
(Head) Header
Header generally consists of two parts: the token type, i.e. the JWT, and the signature algorithm being used, for example, HMAC SHA256 or RSA.
E.g:
{
"alg": "HS256",
"typ": "JWT"
}Then, this is coded as JSON Base64Url , forming a first portion of the JWT.
Payload
The second part of the token is Payload, which comprises Claims (declared). claims is a statement about an entity (usually the user) and other data. There are three types of claims: Registered, public and private claims.
Registered statement : These are a set of predefined statement is not mandatory, but is recommended in order to provide a useful set of interoperable statement. Some of them are: iss (issuer), exp (expiration time), sub (theme), aud (readers) and so on .
Please note that the statement name only three characters, because the pursuit of JWT compact.
Public statement : These can be defined by the person using JWT random. However, in order to avoid conflict, you should go to the IANA JSON Web Token Registry defines them in, or will be defined as containing anti-collision named URI space.
Private statement : You can create a custom declaration for sharing information between the parties.
Payload example may be:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}Then, after the payload Base64Url encoding, JSON Web form a second portion of the token.
Note that for signed token, although this information can prevent tampering, but anyone can read. Unless encryption, do not secret information on JWT's Payload Header or in.
Signature
To create a signature part, you must use the encoded Header and Payload Header also specified algorithm, and they signed.
For example, if you want to use HMAC SHA256 algorithms, we will create a signature in the following ways:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)Signature used to authenticate the message has not been altered during this process, and, in the case of using the private key signature token, it can verify that the sender is who it JWT statement.
Integration into three parts
The final output is three (.) Separated Base64-URL string can be easily passed by the point in HTML and HTTP environment, and more compact in comparison with standard XML-based (e.g., the SAML).
The following shows a JWT.
If you want to use JWT and these concepts into practice, you can use jwt.io Debugger to decode, verify and generate JWT.
How JSON Web Token work?
In authentication, when a user successfully logs in using their credentials, will return JSON Web Token. As the token is evidence, it must be very careful to prevent security problems. Under normal circumstances, you should not let the token retention time is too long.
Whenever the user wants to access a protected resource or routing, user agents should generally use Authorization send JWT head. As follows:
Authorization: Bearer <token>This can be achieved without state authorization mechanism in some scenarios. Protection by routing server checks the Authorization valid JWT header, if present, allows a user to access a protected resource. If JWT contain the necessary data, you can query the database to reduce the need for certain operations.
If the Authorization to send the token header, the cross-domain resource sharing (CORS) will not be a problem, because it does not use cookie.
The following figure shows how to get JWT API for accessing and or resources:
- Application or client to request authorization authorization server.
- After granting the authorization, the authorization server returns the access token to the application.
- Applications using the access token to access a protected resource (such as API).
Please note signed token, token contains all the information will be disclosed to the user or other parties, even if they can not be changed. This means that you should not be placed in the token secret information.