ASP.NET Core -based JWT certification (a)
Web token json ( the JWT ), is a statement in order to pass between the network application execution environment based on open standards JSON (( RFC 7519 ). The token is designed to be compact and safe, especially for single-distributed sites sign-on ( SSO ) scenarios. the JWT statement generally is used to pass the authenticated user identity information providers and service providers in the identity between facilitating access to resources from the server, you can also add some extra other business logic that must be statement information, the token can be directly used for authentication may be encrypted.
We know, HTTP protocol itself is a stateless protocol, and this means that if the user provides a user name and password to our application for user authentication, then the next time request, the user should once again perform user authentication before OK, because, according to http protocol, we can not know which user request is sent, so in order to make our application can identify which user request is issued, the information we can store a copy of the server user login, this login information will be passed to the browser in response, tell it to save the cookie , so that next time the application is sent to our request, so that our application will be able to identify which user requests from the.
Several common traditional authentication mechanisms
HTTP Basic Auth
HTTP Basic Auth simple explanation is that the point provides the user each time an API request username and password , in short, Basic Auth is in line with RESTful API easiest authentication method to use, only need to provide a username password, but because the username and password are exposed to the risk of third-party clients, fewer and fewer are used in a production environment. Therefore, in the development of open RESTful API , try to avoid using HTTP Basic Auth .
OAuth
OAuth (Open Authorization) is an open standard authorization that allows users to allow third-party applications to access private resources (such as photos, videos, contact lists) stored on the user to a web service without requiring the user name and password to third-party applications.
OAuth allows users to provide a token instead of a user name and password to access their data stored in a particular service provider. Each token is authorized a specific third-party systems (for example, video editing website) (for example, within the next two hours) access to specific resources within a specific period of time (for example, just a video album). In this way, OAuth allows users to authorize third-party website to access certain information they store in another service provider, not all content.
Cookie Auth
Cookie authentication mechanism is to first request certification to create a server side Session objects, while in the browser client creates a Cookie objects; by clients bring to Cookie objects and server-side session object matches to implement state management. By default, when we close the browser time, the cookie will be deleted. But it can be modified Cookie the expire time that the cookie is valid within a certain period of time;
Token Profile
The JWT ( Json Web Token ) is declared in order to pass between the network application execution environment and a JSON-based open standards.
JWT 's statement is generally used to provide transfer between persons and service providers authenticated user identity information in the identity, in order to obtain resources from the server. For example, used on user login.
Some people may think that I only need to log cache or database record a signature or Cookies can be, why use JWT it? We know that a database or a software, loss of time is our biggest place the I / O (input and output, usually refers to the hard disk read and write), so we chose to decode once HS256, for powerful computing power and now words, once HS256 solution than disk access time is much faster.
Similar to the http protocol is stateless token-based authentication mechanism, which does not require the server to retain the authentication information or session information of the user. This means that applications based on token authentication mechanism does not need to consider which server the user is logged in, which facilitated the application of the extension.
The process is this:
- User for username and password to the server request
- Server to verify the user's information
- The server sends to the user by verifying a token
- Client token memory, and each request included in this token value
- The server authentication token, and returns the data
This token must be passed with each request to the server, it should be kept in a request in advance, in addition, the server should support CORS (Cross-Origin Resource Sharing) strategy, we usually do it on the server Access-Control -Allow-Origin: *.
So we are now back to the topic of JWT.
JWT composition
Let's look at a jwt
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Look closely we can see that a string contains two . "" These two . "" The jwt divided into three, we were to become the head, load information, visa information. So what is the three-part division of labor is it?
Header
JWT head carries two information
- Declared type, for Jwt it is jwt
- Encryption algorithm, commonly used SHA256, HS256
Complete head should be a Json like this
{ 'typ': 'JWT', 'alg': 'HS256' }
The head Json be base64 encryption get our first part
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
Payload
The second part is the load information, Payload, you can understand our JWT is a large warehouse, the head is the first part of the name of the warehouse number and other basic information, load information is warehouse itself contains all the goods inside the warehouse . This information in turn consists of three parts:
- Standard registration statement
- Public Statement
- Private statement
Standard registration statement (recommended, but not mandatory to use) :
-
iss: jwt issuer
-
sub: jwt for the user
-
aud: the receiving side jwt
-
exp: jwt expiration time, the expiration date must be greater than the issue of time
-
nbf: What time is defined before the jwt are not available.
-
iat: jwt the issue of time
-
jti: jwt unique identity, is mainly used as a one-time token, in order to avoid a replay attack.
Public statement:
Public declarations can add any information, general information about the user to add the necessary information or other business needs. But it is not recommended to add sensitive information, in part because the client can decrypt.
Private statement:
Private statement is a statement providers and consumers as common definition, is generally not recommended to store sensitive information, because base64 is decrypted symmetric, meaning that some of the information may be classified as plaintext.
In fact, we are based on the Header and Payload base64 encryption, which can be symmetric cipher text is decrypted, so please do not store sensitive information.
Define a payload:
{ "sub": "1234567890", "name": "John Doe", "admin": true }
After base64 encryption, we got our second part
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9
Signature
Jwt The third part is a visa information, this visa information consists of three parts:
- header (after the base64)
- payload (after the base64)
- secret
This can be understood as part of a front portion of the check, the first two parts of the ciphertext encrypted by Header encryption defined, with the server passed in the primary encryption key, if the first two parts of the information been tampered with, certainly pass the last part of the visa check. So by this way ensures Jwt security.
Therefore, our good save and hide the encryption key is very important, assuming that leaked, it means that anyone can easily know the key to jwt self-signing and verification.
Original link: https://www.cnblogs.com/WarrenRyan/p/10426204.html