Preface :
Now more and more projects will use more or less JWT, why is there such a scenario JWT use it?
Suppose now that there is a APP, the background is a distributed system. APP homepage module deployed on Shanghai server room, sub-page module deployed on the Shenzhen server room. At this point you are logged in to the APP from home, and then jump to the sub-page module. session can not be synchronized between the two rooms, if the user needs to log in again?
The traditional way (cookie + session) need to re-login, the user experience is not good. session sharing (transmission and replication session among multiple physical machines) mode pressure on the network IO big, too long delayed, the user experience is not good.
Having said that we could think of, using session_id store server to the cookies also can do it, why we do have to use token? There are many online articles to compare the advantages and disadvantages session token and, in fact, the development of web applications, then in what will do. But if it is to develop an interface api, before and after the end of the separation, it is best to use token, why do you say, because the session + cookies are web-based. But for api interface might consider moving to the end, app is not in session and cookies.
The biggest problem Session stored user information is to take up a lot of server memory, increase the cost of a server.
The JWT way the user dispersed to the client, the server can significantly reduce the memory pressure. Session state on the server side, the client only session id is stored; and Token status is stored in the client
Principle :
JSON Web Token (abbreviation JWT)
JWT principle is, after authentication server generates a JSON object back to the user, after the user and server communication when should send back the JSON object.
Server completely rely on the object identified user. To prevent users from tampering with data, the server when generating the object, the signature will be added.
The server does not save any session data, and that is, become a stateless server, and thus relatively easy to achieve expansion.
A combination of :
JWT is followed by three sections: Header (head), Payload (load), Signature (Signed)
Written in a row, it is the following way.
Header.Payload.Signature
A, Header
A typical header consists of two parts: token type ( "JWT") algorithm and a name (such as: HMAC SHA256 or RSA, etc.)
{ " ALG " : " HS256 " , // ALG property represents a signature algorithm (algorithm), default HMAC SHA256 (written HS256) " typ " : " the JWT " // typ attribute indicates the type of the token (token) of ( of the type) }
Then Base64 encoded JSON get this first portion of JWT
Two, Payload
The second part is the JWT payload, which contains declaration (required). Statement is a statement about an entity (usually the user) and other data
JWT provides for seven official field
- iss (issuer): issuer
- exp (expiration time): Expiration Time
- sub (subject): Theme
- aud (audience): Audience
- nbf (Not Before): Effective time
- iat (Issued At): The issue of time
- jti (JWT ID): No.
In addition to the official field, you can also define a private field in this section, the following is an example
{ "sub": "1234567890", "name": "John Doe", "admin": true }
Be careful not to place sensitive information in the header or payload of JWT, unless they are encrypted
Three, Signature
Signature is a signature part of the first two parts, prevent data tampering. The signature is used to verify that a message has not been altered during delivery, and, for the token using the private key signatures, it can verify that the sender JWT for its alleged sender.
In order to get the signature section, you must have the encoded header, the encoded payload, a secret key, signature algorithm is specified in the header, you can then sign them. Generating a signature in accordance with the following formula.
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
After calculating the signature, the Header, Payload, Signature makes up a string of three parts, (a "point" between each section .) are separated can be returned to the user.
Start :
First, the client receives JWT returned by the server, which may be stored in a Cookie may also be stored in localStorage.
Thereafter, each time the client and server communications, must bring the JWT. You can put it inside Cookie sent automatically, but this can not be cross-domain, so a better approach is to put the HTTP request header Authorizationfield inside.
Authorization: Bearer <token>
Two, JWT will put data POST request body inside, then Cross-Origin Resource Sharing (CORS) will not be a problem, because it does not use cookie
1. The application (or client) wants authorization server requests authorization. For example, if the authorization code process, then, is / oauth / authorize
2. When the authorization is granted, the authorization server returns an access token to the application
3. The application uses access token to access a protected resource (such as: API)
Features :
1.JWT default are not encrypted, but also can be encrypted. After generating the original Token, it can be re-encrypted with a key once.
2.JWT case without encryption, secret data can not be written to JWT.
3.JWT biggest drawback is that, because the server does not save session state, a token can not be abolished in the course of, or change the permissions of the token. That is, once issued JWT, will remain in effect until maturity, unless the server to deploy additional logic.
4.JWT itself contains authentication information, when disclosed, anyone can get all the permissions of the token. To reduce theft, JWT's validity should be set relatively short. For some of the more important rights, should once again to authenticate the user during use.
Note :
JWT is JSON format is encrypted string
JWT is the key core is JSON data. This is you care about and want to pass out of data security. JWT how to do this, and you trust it, that is cryptographically signed.
After being tampered with
Summary :
Refer to the official document: JSON Web Tokens