Transfer from simple book Http://www.jianshu.com/p/576dbf44b2ae
What is Jwtjson Web token (JWT) is a JSON-based open standard (RFC 7519) that executes in order to pass claims across a network application environment. The token is designed to be compact and secure, especially for single sign-on (SSO) scenarios in distributed sites. JWT declarations are typically used to pass authenticated user identities between identity providers and service providers, to obtain resources from a resource server, or to add additional declarative information that is necessary for other business logic, which can also be used directly for authentication or encryption. Origin
Speaking of JWT, we should talk about the difference between token-based authentication and traditional session authentication.
The traditional session Certification
We know that the HTTP protocol itself is a stateless protocol, which means that if a user provides a user name and password to our application for user authentication, then the next request, the user will also have to authenticate the user again, because according to the HTTP protocol, we do not know which user is the request, So in order for our app to recognize which user is making the request, we can only store a copy of the user's login information in the server, which will be passed to the browser in response, telling it to be saved as a cookie so that the next request is sent to our app, This allows our application to identify which user the request is from, which is the traditional session-based authentication.
However, this session-based authentication makes the application itself difficult to expand, and as the number of client users increases, independent servers are unable to host more users, and the issue of session-based authentication applications will be exposed.
The problems revealed by the session authentication
session: After each user through our application certification, our application will be on the server to make a record to facilitate the identification of the next request, usually the Session is stored in memory, and with the increase in authentication users, the service side of the overhead will be significantly increased.
extensibility : After the user authentication, the service side does the authentication record, if the authentication record is kept in memory, this means that the user next request must also request on this server, in order to get the authorized resources, so that in the distributed application, the corresponding limit the ability of the load balancer. This also means limiting the application's ability to scale.
CSRF: Because cookies are based on user identification, if the cookie is intercepted, the user will be vulnerable to cross-site request forgery attacks.
Token-based authentication mechanism
Token-based authentication mechanism is similar to the HTTP protocol is stateless, it does not need to keep the user's authentication information or session information on the server. This means that applications based on the token authentication mechanism do not need to consider which server the user is logged on to, which facilitates the extension of the application.
This is the process:
- The user uses the user name password to request the server
- The server authenticates the user's information
- The server sends a token to the user via authentication
- The client stores tokens and comes with this token value on each request
- The service side validates the token value and returns the data
This token must be passed to the server on each request, it should be stored in the request header, in addition, the service side to support the CORS(跨来源资源共享)
policy, generally we do on the server to do so Access-Control-Allow-Origin: *
.
So now we're back on the subject of JWT.
What does a JWT look like?
The JWT is made up of three pieces of information, and the three pieces of information text are .
linked together to form the JWT string. Just like this:
EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBa B30rmhrhdcefxjoyzgefonfh7hgq
The composition of the JWT
The first part we call it the head (header), the second part we call it load (payload, similar to the goods carried on the aircraft), the third part is the visa (signature).
Header
JWT's head carries two pieces of information:
- Claim type, here is JWT
- An algorithm that declares encryption is usually used directly with the HMAC SHA256
The full head is like this JSON:
{ ' Typ ': ' JWT ', ' alg ': ' HS256 '}
The head is then base64 encrypted (the encryption can be decrypted symmetrically), forming the first part.
Eyj0exaioijkv1qilcjhbgcioijiuzi1nij9
Playload
Loads are places where effective information is stored. The name is like a particular item on a plane that contains three pieces of information.
- Declaration of registration in the standard
- Public statements
- Private claims
Declaration of registration in the standard (recommended but not mandatory):
- ISS: JWT issuer
- Sub: The user that JWT is targeting
- AUD: The party receiving the JWT
- exp: The expiration time of JWT, which must be greater than the time of issue
- NBF: Defines the time before which the JWT is not available.
- IAT: Time to issue JWT
- JTI: JWT's unique identity, used primarily as a one-time token, to avoid replay attacks.
Public Statements :
Public declarations can add any information, generally add information about the user or other necessary information for business needs. However, it is not recommended to add sensitive information because the part is decrypted on the client.
Private Statement :
A private statement is a statement that is defined by both the provider and the consumer, and is generally not recommended for storing sensitive information, because Base64 is symmetric and decrypted, meaning that the part of the information can be classified as plaintext information.
Define a payload:
{ "sub": "1234567890", "name": "John Doe", "admin": true}
It is then base64 encrypted to get the second part of the JWT.
Eyjzdwiioiixmjm0nty3odkwiiwibmftzsi6ikpvag4grg9liiwiywrtaw4ionrydwv9
Signature
The third part of JWT is a visa information, which consists of three parts:
- Header (after Base64)
- Payload (after Base64)
- Secret
This section requires Base64 encrypted headers and Base64 encrypted payload to use a .
concatenated string, and then add salt combination encryption via the encryption declared in the header, which secret
then forms the third part of the JWT.
Javascriptvar encodedstring = Base64urlencode (header) + '. ' + base64urlencode (payload); var signature = HMACSHA256 (Enco Dedstring, ' secret '); Tjva95orm7e2cbab30rmhrhdcefxjoyzgefonfh7hgq
The three sections are .
concatenated into a complete string that forms the final JWT:
EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBa B30rmhrhdcefxjoyzgefonfh7hgq
Note: The secret is stored on the server side, and the JWT sign-up is also on the server side, secret is used for the signing of JWT and JWT verification, so it is your service side of the private key, in any scenario should not be revealed. Once the client learns about this secret, it means that the client can self-issue the JWT.
How to apply
It is usually added in the request header Authorization
and Bearer
annotated with:
Fetch (' API/USER/1 ', { headers: { ' Authorization ': ' Bearer ' + Token }})
The server verifies the token and returns the appropriate resource if the validation is passed. The whole process is this:
Summarize the benefits
- Because of the versatility of JSON, JWT can be used in many languages, such as java,javascript,nodejs,php, for cross-language support.
- Because of the payload section, JWT can store the non-sensitive information necessary for some other business logic on its own.
- Easy to transport, the JWT composition is very simple, the byte occupies very small, so it is very easy to transfer.
- It doesn't need to save session information on the server, so it's easy to apply extensions
Safety-related
- You should not store sensitive information in the payload portion of the JWT, because that part is the part that the client can decrypt.
- Protect the secret private key, which is very important.
- If possible, use the HTTPS protocol
EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBa B30rmhrhdcefxjoyzgefonfh7hgq
Dearmadman
Links: Http://www.jianshu.com/p/576dbf44b2ae
Source: Pinterest
Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please specify the source.
Jwt--json WEB TOKEN