JWT (JSON Web Token) Introduction

Others 2020-03-11 20:28:01 views: null

What is JSON Web Token

JSON Web Token (abbreviation JWT) is the most popular cross-domain authentication solutions, this article describes how it works and usage.
The first is the issue of cross-domain authentication
Internet services can not do without user authentication. Usually this process is the following.
1, the user sends the user name and password to the server.
2, server authentication is passed, stored data in the current session (session) inside, such as user roles, login time, and so on.
3, the server returns to the user a session_id writing user Cookie.
4. The user then every request will by Cookie, the session_id back to the server.
5, the server receives session_id, find pre-stored data, therefore represents the user's identity.
The problem with this model is that, scalability (scaling) is not good. Stand-alone course, no problem, if it is a cluster of servers, or cross-domain
service-oriented architecture, it requires data sharing session, each server can read the session.
For example, A and B sites sites are associated with a company's service. Now it requires, as long as the user login in one of the site revisit
ask another website will automatically log in, ask how to achieve?
One solution is to session data persistence, written to the database or other persistence layer. After receipt of the request services, please have the persistence to
request data. The advantage of this approach is obvious structure, the disadvantage is larger than engineering. Further, in case of hanging persistence, will single point of failure.
Another option is simply the server does not save session data, and all data is stored in the client, each request back to the server.
JWT is a representative of this program.

JWT principle

JWT principle is, after authentication server generates a JSON object back to the user:

{
	"姓名": "Joey",
	"角色": "管理员",
	"到期时间": "2020年2月14日0点0分"
}

Later, the user and server communication when should send back the JSON object. Server completely rely on the object identified user.
To prevent users from tampering with data, the server when generating the object, will add a signature (more on this later).
The server does not save any session data, and that is, become a stateless server, and thus relatively easy to achieve expansion.
JWT data structure
jwt a long way:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4
gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

It is a very long string, separated into three sections by a dot (.). Note that the internal JWT is no line breaks, and here only for the
convenience of showing, it will be written in a few lines.
JWT sequentially following three sections:
Header (header)
Payload (load)
the Signature (Signed)
into a single line:

Header.Payload.Signature

Header

Header section is a JSON object, metadata JWT described generally like the following:

{
	"alg": "HS256",
	"typ": "JWT"
}

Above code, alg property indicates the signature algorithm (algorithm), default HMAC SHA256 (written HS256); typ
attribute indicates the token (token) type (type), JWT token unified written as JWT.
Finally, the above object using JSON Base64URL algorithm (more on this later) translated into strings.

Payload

Payload is part of a JSON object, used to store the actual data transfer is required. JWT provides for seven official field for the selection:
ISS (Issuer): Issuer
exp (expiration time): expiration time
sub (subject): Theme
aud (audience): Audience
nbf (Not Before): Effective time
iat (Issued At ): the issue of time
jti (JWT ID): No.
in addition to the official field, you can also define a private field in this section:

{
	"sub": "1174051426",
	"name": "Joey Tribiani",
	"admin": true
}

Note, JWT default is not encrypted, anyone can read, so do not put confidential information in this section. The JSON object
should use Base64URL algorithm translated into strings.

Signature

Signature is a signature part of the first two parts, prevent data tampering.
First, you need to specify a key (secret). The key is to know only the server can not be disclosed to the user. Then, a
Header which the specified signature algorithm (default HMAC SHA256), generating a signature in accordance with the following equation.

HMACSHA256(
	base64UrlEncode(header) + "." +
	base64UrlEncode(payload),
secret
)

After calculating the signature, the Header, Payload, Signature makes up a string of three parts, (.) In "dot" portions between each
partition, can be returned to the user.

Base64URL

Mentioned, Header and Payload of type string algorithm Base64URL. This algorithm Base64 algorithm with essentially similar, but there are
some minor differences.
JWT as a token (token), a situation that may put some URL (such as api.example.com/?token=xxx).
There are three characters Base64 +, /, and =, which have a special meaning in the URL, it is to be replaced: = is omitted, replaced +
to -, / _ replaced. This is Base64URL algorithm.

JWT's use

JWT client receives the server returns, which can be stored in Cookie, can also be stored in localStorage.
Thereafter, each time the client and server communications, must bring the JWT. You can put it inside Cookie sent automatically, but this
kind can not be cross-domain, so a better approach is to Authorization header field in the HTTP request inside.

Authorization: Bearer <token>

Another approach is that when cross-domain, JWT POST request to the data volume on the inside.

JWT several features

(1) JWT default is not encrypted, but also can be encrypted. After generating the original Token, it can be re-encrypted with a key once.
(2) in the case JWT without encryption, secret data can not be written JWT.
(3) JWT not only can be used for authentication, it can also be used to exchange information. Effective use of JWT, the secondary server can reduce database query
number.
(4) JWT biggest drawback is that, because the server does not save session state, and therefore can not repeal a token, or in the course of
the authorities to change the token. That is, once issued JWT, will remain in effect until maturity, unless the server to deploy additional
logic.
(5) JWT itself contains authentication information, when disclosed, anyone can get all the permissions of the token. To reduce theft, JWT
's validity should be set relatively short. For some of the more important rights, should once again to authenticate the user during use.
(6) In order to reduce fraud, the JWT codes using the HTTP protocol should not be transmitted, to use the HTTPS protocol.

Joey_Tribiani
Published 19 original articles · won praise 0 · Views 277
Private letter concerns

Guess you like

Origin blog.csdn.net/Joey_Tribiani/article/details/104320006
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com