A tutorial on Token authentication

Recently understand the Token based authentication, share with everyone. Many large web sites are also used, such as Facebook,twitter,google+,github, and so on, compared to the traditional authentication methods, Token scalability is more powerful, and more secure, very suitable for use in WEB applications or mobile applications. Token in Chinese translated into "token", I think it is very good, meaning, you take this token, you can go through a number of checkpoints.

Traditional methods of authentication

HTTP is a stateless protocol, that is, it does not know who is accessing the application. Here we regard the user as the client, the client uses the username and the password to authenticate, but the next time the client sends the request, it has to be verified again.

The solution is, when the user requests to log in, if there is no problem, we generate a record in the server, this record can explain the user who is logged in, and then the ID number of this record sent to the client, the client received the ID number stored in the Cookie, The next time the user sends a request to the server, you can take this cookie so that the server verifies the information in the cookie to see if it can find the corresponding record in the server, and if so, that the user has passed the authentication and returns the user's requested data to the client.

This is the session, we need to store in the server to log on the user generated sessions, which may be stored in memory, disk, or database. We may need to periodically clean up expired sessions on the service side.

Authentication method based on Token

Using the Token authentication method, you do not need to store the user's logon record on the server side. The approximate process is this:

Client Login with user name and password requested
The server receives a request to authenticate the username and password
Once the validation is successful, the server will issue a Token and send this Token to the client.
The client can store it after receiving Token, such as in cookies or local Storage.
Each time the client requests a resource from the server, it needs to have the Token issued by the server
The server receives the request and then verifies the Token in the client request and returns the requested data to the client if the validation succeeds
JWT

There are a number of ways to implement Token validation, and there are standard methods, such as JWT, read: Jot, which means: JSON Web tokens. The JWT standard Token has three parts:

Header
Payload
Signature

The middle is separated by dots and all use Base64 encoding, so the real Token looks like this:

Eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjpc3mioijuaw5nagfvlm5ldcisimv4cci6ije0mzg5ntu0nduilcjuyw1lijoid2fuz2hhbyisimfkbwlu Ijp0cnvlfq.swyhtex_rqppr97g4j5lkxtabjecpejuef8aqkymajc

Header

Header part is mainly two parts, one is the type of Token, the other is the use of algorithms, such as the following type is JWT, the algorithm used is HS256.

{

"Typ": "JWT",

"ALG": "HS256"

}

The above content will be encoded in Base64 form, so it becomes this:

Eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9
Payload

Payload inside is the specific content of the Token, some of which are standard fields, you can also add other needs of content. The following are standard fields:

Iss:issuer, publisher
Sub:subject, Theme
Aud:audience, the audience.
Exp:expiration time, expiration
Nbf:not before
Iat:issued at, release time
JTI:JWT ID
For example, the following Payload, the ISS Publisher, and exp expiration time are used. There are also two custom fields, one is name, and the other is admin.

{

' ISS ': ' ninghao.net ',

' exp ': ' 1438955445 ',

' name ': ' Wanghao ',

' admin ': true

}

The use of BASE64 encoding later became this way:

Eyjpc3mioijuaw5nagfvlm5ldcisimv4cci6ije0mzg5ntu0nduilcjuyw1lijoid2fuz2hhbyisimfkbwluijp0cnvlfq
Signature

JWT the last part of the Signature, this part of the content has three parts, first with the BASE64 encoded header.payload, and then encrypted with the encryption algorithm, encryption to put in a Secret, which is equivalent to a password, This password is stored secretly on the service side.

Header
Payload
Secret

var encodedstring = Base64urlencode (header) + "." + base64urlencode (payload);

HMACSHA256 (encodedstring, ' secret ');

After the processing is complete it looks like this:

Swyhtex_rqppr97g4j5lkxtabjecpejuef8aqkymajc

The last Token generated on the server and sent to the client looks like this:

Eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjpc3mioijuaw5nagfvlm5ldcisimv4cci6ije0mzg5ntu0nduilcjuyw1lijoid2fuz2hhbyisimfkbwlu Ijp0cnvlfq.swyhtex_rqppr97g4j5lkxtabjecpejuef8aqkymajc

When the client receives this Token, it stores it, and the next time it sends a request to the server, it takes the Token. The server receives this Token and then validates it, and then returns it to the client for the resources it wants.