Django rest-framework of jwt certification

jwt certification

jwt is json web tokenan abbreviation, a login authentication authentication

Jwt difference between ordinary session authentication and certification

1. session needs to be saved to the database server, the server does not need to store and jwt token, server IO operations will be reduced (no IO write operation)
2. Token information stored by the client, the server stores only and verification algorithms issued high-efficiency server-side code execution
3. With three-step, token must include the expiration time, ensure the safety and timeliness of token

jwt Certification composition

• jwt made 头.载荷.签名of three parts, of the intermediate .from splicing
• Json each part is a dictionary, using the header and payload base64reversible encryption algorithm, the signature using the irreversible encryption algorithm Algorithm HS256

This section describes the jwt Certification:

• jwt head: contains some irrelevant descriptive information: company name, developer information, content can also be empty
• jwt load: core information comprising: the user's home key, account information, client device information, the token expiration time
• jwt Signature: contains security information, the first encryption result, the encryption result of the load, the server security code (salt)

jwt issued algorithm

Total is divided into four, and only when the user logs back in again before issuing a new token, if the token does not exceed the original expiration date, are also effective, and will be carrying the token and the server in the client interface needs of each log check

Head algorithm

• Head contents: company name, project information, can also be empty
• These data into json string, the string encrypted to repeat json base64 string

Algorithm load portion

• Content payload section: The user account, client device information, user information of the primary key (need to provide the user account and authentication before they can get after ton), the expiration time (the current time and the expiration time according to the combination generating configuration)
• These data into json string, the string encrypted to repeat json base64 string

Part of the signature algorithm

• The contents of the signature part: the head content encryption result, the load part of the encrypted result as a member, and then get the security code from the server
• These data into json string, repeat json string encryption string into irreversible HS256

Generating a token connected

• The three strings .generated three-token splicing

jwt checksum algorithm

A total can be divided into five do:

Segmentation

• Get token from the request submitted by the client, with .cut into three sections, if not three sections, illegal token

Decryption head

Look at the situation, generally do not need to decrypt, since fixed.

Decryption load

• A first decrypted into json base64 string, converted to the format of the dictionary data python
  • Query User table to determine whether there is a user account
  • The requested information and loads the decrypted information than to determine whether the same user or device, the user decides whether to make safety tips (eg: remote login)
  • Expiration time than the current time, it is determined whether the token is valid for time

Collision verify the signature

• Converting the first token in the latest user-submitted, the load, the server security code composed of a string dictionary into json
• Using non-reversible encryption algorithm to generate new HS256 signature string of json string encryption newly formed
• The new signature string collision with the third paragraph of the signature comparison, the same words to ensure that token is legitimate.

Check the user object

• Through the above algorithm, the resulting load check User object, the token is represented by the login user (login user to Django generally stored in the request.user)

jwt refresh algorithm

Refresh algorithm is finished after the previous token, the effective time of the token, the user submits a request refreshed each time the token is valid

Refresh implementation of the algorithm:

• To load issued token, the extra time to add two information: the first time issued token, the most effective time to refresh later
• Every request carries a token not just go check algorithm verification token, also requested additional refresh token interface, complete the refresh token
• To configure the server not only the expiration time, but also to configure the maximum refresh time

jwt certification benefits

• Database no need to store token, do not write IO operations
• The client storage token, the server stores only issued checksum algorithms, high code efficiency
• Issuance and verification algorithms on multiple servers unified, server clusters do under the rules very convenient jwt

The DRF jwt certification

installation

pip3 install djangorestframework-jwt

Use 自带set a good jwt

from rest_framework_jwt.views import obtain_jwt_token
urlpatterns = [
    url(r'^login/',obtain_jwt_token),
]
'''
path('login/', obtain_jwt_token)其实相当于path('login/', ObtainJSONWebToken.as_view())
因为我们之间进源码可以看到
obtain_jwt_token = ObtainJSONWebToken.as_view()     #获得
refresh_jwt_token = RefreshJSONWebToken.as_view()   #刷新
verify_jwt_token = VerifyJSONWebToken.as_view()     #验证
'''

Test Interface: post request

postman发生post请求
接口：http://127.0.0.1:8000/api/login/

数据：
{
    "username":"admin",
    "password":"admin123"
}

返回一个token字符串
{
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTc3ODc0MzU0LCJlbWFpbCI6IiJ9.5z8Ya-mxj-oPSOwdXenSKUWf7M5pt3r8YVlFKu1cskY"
}

working principle

"""
jwt：json web tokens 采用json格式在web上传输的 认证字符串

jwt字符串：头.载荷.签名

头：公司基本信息、项目组基本信息、常规加密算法名
载荷：用户信息、过期时间
签名：头、载荷、秘钥

{头信息字典，采用base64加密算法}.{载荷信息字典，采用base64加密(base64编码)}.{头加密串、载荷加密串、服务器秘钥，采用hs256加密算法}

base64是可逆的
hash256是不可逆加密
我们一般只会将账号信息,过期时间放载荷里面,一般把密码什么重要信息丢签名里面