Token authentication scheme under the restful

RESTful attention to a stateless feature (stateless), which does not put some, such as post-login authentication information in the traditional way of cookies,

The current exploration is to use token to identify the authority.

When we started studying tokens, it was easy to find a lot of information about the more popular JWT (JSON Web Token), which currently has the RFC specification (albeit just a draft).

In short, JWT defines a claim area that can be customized and can be encrypted (to indicate the encryption method on the head), as shown in

(This image is from Https://jwt.io)

Because of the use of asymmetric encryption, so the general information is still relatively safe (some people for the header in the identification of the encryption algorithm and some concerns, the proposed improvement is simply to indicate the custom algorithm type such as "Alg:1").

The benefits of JWT are obvious, so that some certified information can be put into it, and the next time the user visits again, only need to return the JWT, the server to decrypt the contents of the JWT to obtain some authentication information, and can set the expiration time in the JWT, to identify the login timeliness.

However, if the user login authentication, you must meet the user active logout situation, but because these authentication information are saved in JWT, so there is a suggestion is to the JWT inside the expiration time set shorter, each successful access after the refresh expiration time, once expired also understood as logout. This practice does not satisfy logout's

Action, it is often a more common practice to save a JWT in a database, such as in a Redis, and set the expiration time by Redis.

To analyze this, it is found that JWT is still stored in the database, and the information after its authentication in a sense, although encrypted, but still exposed to public, this makes me feel uncomfortable.

As a result, a new scheme arises, since the use of the database is not available, then the information is stored in the database (such as Redis), the token returned to the user is to identify the uniqueness, when the user successfully authenticated will receive a token, the token does not contain any information, Just for the next time the user visits, the background can be in the database to query the relevant information.

(Redis, considering its speed and hit rate for reading k-v, is very good)

Token authentication scheme under the restful