JWT (on): Recognizing JSON Web Token

Others 2019-12-10 19:56:01 views: null

What is JWT?

JSON Web Token (JWT) is an open standard (RFC 7519), which defines a compact and self-contained manner, secure transmission of information between the parties as a JSON object. This information can be verified and trust through digital signatures. JWTs keys can be used (in combination HMAC algorithm) or using RSA, ECDSA public and private key encryption for signing.

Although JWTs can also provide secure encryption between the parties, but is still focused on signing Token. When the other party to hide some of the statements of encryption Token, the Token can verify the integrity of the signature statement. When Token when using the public key and private key pair is signed, the signature can only prove possession of the private party is the party issuing it.

When to use JWT?

  • Authorization : JWT This is the most common usage scenarios of. When the user logs on, every request include JWT, allowing users to access only those routes that carry the token to access, services, resources. Now in the single sign-on makes extensive use of JWT, because JWT small size, and can be used between different domain name.
  • Information exchange : JWT is a good way to secure transmission of information between the parties. Because JWTs able signature, such as the use of public key and private key pair, you can determine the identity of the sender. In addition, the signature is calculated using header and payload from, so you can verify that the content has been tampered with.

JWT structure

jwt comprises three parts, between the point (.) partition

  • Header (head)
  • Payload (load)
  • Signature (Signed)

A typical jwt as follows:

xxxxx.yyyyy.zzzzz

encoded-jwt3.png

The following were introduced them

Header section is a JSON object header typically comprises two parts:

  • alg: The signature algorithm, such as RSA, or HMAC SHA256

  • typ: Token types, such as JWT

{
  "alg": "HS256",
  "typ": "JWT"
}

Finally, after the Base64Url JSON object coding, the first part of the JWT

Payload

Payload portion JSON object is used to store data. JWT has seven official field

* iss (issuer):签发人
* exp (expiration time):过期时间,以秒为单位
* iat (Issued At):签发时间,能够算出JWT的存在时间
* nbf (Not Before):生效时间
* jti (JWT ID):JWT 的唯一标识。用来防止 JWT 重复。
* sub (subject):主题(很少使用)
* aud (audience):token的受众(很少被使用)

Addition to the above fields, can also customize the private fields, such as

{
    "userId": "1101",
    "userName": "张三",
    "age": "23"
}

Finally, after the Base64Url JSON object encoding, a second portion of the JWT

Tip: JWT default is not encrypted, anyone can read, so do not put sensitive information stored in this section, unless encrypted.

Signature

Using the specified algorithm Header Header, Payload, three parts string key signature generation, as part of the signature.
Such as using HMAC SHA256 algorithm

HMACSHA256( 
    Base64Url.encode(header) + "." + Base64Url.encode(payload),
    secret
)

Signature is used to verify that the data has been tampered with, and if the token using the private key signature, the signature can also verify the identity of the sender of JWT.

How to use JWT?

JWT client receives the server returns, which can be stored in Cookie, can also be stored in localStorage.

After that, each time the client requests the server, it must bring the JWT. Cookie can put it inside the automatic transmission, but this does not cross-domain, so a better approach is to put the HTTP request header Authorizationfield inside.

Authorization: Bearer <token>

Another approach is that when cross-domain, JWT POST request to the data volume on the inside.

JWT features

  1. JWT default are not encrypted, but also can be encrypted. After generating the original Token, it can be re-encrypted with a key once.

  2. JWT case without encryption, secret data can not be written to JWT.

  3. JWT not only can be used for authentication, it can also be used to exchange information. Effective use of JWT, the number of server queries the database can be reduced.
  4. JWT biggest drawback is that, because the server does not save session state, a token can not be abolished in the course of, or change the permissions of the token. That is, once issued JWT, will remain in effect until maturity, unless the server to deploy additional logic.
  5. JWT itself contains authentication information, when disclosed, anyone can get all the permissions of the token. To reduce theft, JWT's validity should be set relatively short. For some of the more important rights, should once again to authenticate the user during use.

  6. To reduce theft, JWT should not use the HTTP protocol transmission codes, to use the HTTPS protocol.

Session-Cookie manner: each time the client requests use cookie carry session_id, according to the server to distinguish between different sessions session_id

JWT manner: each time the client requests using the request header carries token, token server according to distinguish different users

JWT's official website introduction

Guess you like

Origin www.cnblogs.com/lhat/p/12018567.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com