The JSON Web Token (JWT) is a very lightweight specification. This specification allows us to use JWT to deliver secure and reliable information between the user and the server.
Let's imagine a scenario. When a user is concerned about the B user, the system sends a message to the B user, and a link "point this attention to a user" is attached. The address of the link can be like this
1 |
https://your.awesome-app.com/make-friend/?from_user=b&target_user=a |
The above URL mainly through the URL to describe this of course, there is a disadvantage, that is, require User B user must first login. Can you simplify this process so that B users do not have to log in to complete this operation. JWT allows us to do this.
The composition of the JWT
A JWT is actually a string that consists of three parts, the head , the payload , and the signature .
Load (Payload)
Let's first describe the above add a friend's action as a JSON object. Some additional information was added to help understand the JWT for future servers receiving this JWT.
123456789 |
{"ISS": "John Wu JWT","IAT": 1441593502,"exp": 1441594722, "AUD": "www.example.com", " Sub": "[email protected]", " from_user": "B", "Target_user": "A"} |
The first five fields are defined by the JWT standard.
iss
: The issuer of the JWT
sub
: The user the JWT is targeting
aud
: The party that receives the JWT
exp
(expires): When expires, here is a UNIX timestamp
iat
(Issued at): when issued
These definitions can be found in the standard.
The
Encodes the above JSON object [base64] to get the following string. This string we call the JWT's Payload (payload).
1 |
EYJPC3MiOiJKb2huIFd1IEpXvcisimlhdci6mtq0MTU5MzUwMiwiZXhwIjoxNDQxNTk0 Nziylcjhdwqioij3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY 29tIiwiZnjvbv91c2VyIjoiQiIsInrhcmdldf91c2VyIjoiQSJ9 |
If you use node. js, you can use node. JS's package Base64url to get the string.
1234567 |
var base64url = require (' Base64url ') var header = {"From_user": "B","target_user": "A"} Console.log (Base64url (json.stringify (header ))) //output: EYJPC3MIOIJKB2HUIFD1IEPXVCISIMLHDCI6MTQ0MTU5MZUWMIWIZXHWIJOXNDQXNTK0NZIYLCJHDWQIOIJ3D3CUZXHHBXBSZS5JB20ILCJZDW Iioijqcm9ja2v0qgv4yw1wbguuy29tiiwiznjvbv91c2vyijoiqiisinrhcmdldf91c2vyijoiqsj9 |
Tip: Base64 is a code that means that it can be translated back to its original appearance. It is not a cryptographic process.
Head (header)
JWT also requires a head, which is used to describe the most basic information about the JWT, such as its type and the algorithm used to sign it. This can also be represented as a JSON object.
1234 |
{"Typ": "JWT","alg": "HS256"} |
Here we show that this is a JWT, and the signature algorithm we use (which is mentioned later) is the HS256 algorithm.
It also has to be Base64 encoded, and then the string becomes the headerof the JWT (head).
1 |
Eyj0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 |
Signature (signature)
The above two encoded strings are concatenated with a period .
(head in front), forming a
1 |
Eyj0eXAiOiJKV1QiLCJhbGciOiJIUzI1nij9.eyjmcm9tx3VzZXIiOiJCIiwidGFyZ2V0X 3VzZXIiOiJBIn0 |
This part of the process is reflected in the source code of NODE-JWS
Finally, we encrypt the string above the concatenation with the HS256 algorithm. In the encryption, we also need to provide a key (secret). If we use it mystar
as a key, then we can get our encrypted content.
1 |
RSWAMYAYWUHCo7ifagd1oRpSP7nzl7bf5t7ItqpKViM |
This part is also called signature .
Finally, the part of the signature is also stitched behind the signed string, and we get the full JWT
1 |
Eyj0eXAiOiJKV1QiLCJhbGciOiJIUzI1nij9.eyjmcm9tx3VzZXIiOiJCIiwidGFyZ2V0X 3VzZXIiOiJBIn0.rswamyaywuhco7ifagd1oRpSP7nzl7bf5t7ItqpKViM |
As a result, we can change the URL in the message to
1 |
HTTPS://your.awesome-app.com/make-friend/?jwt= EyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VzZXIiOiJCIiwidGFyZ2V0X3VzZXIiOiJBIn0.rSWamyAYwuHCo7IFAgd1oRpSP7nzL7BF5t7I Tqpkvim |
This will allow you to safely complete the action of adding friends!
Wait, we must have some questions:
- What is the purpose of the signature?
- Base64 is a kind of code, is reversible, then my information is not exposed?
Let me explain it to you.
The purpose of the signature
The process of signing the final step is actually to sign the header and the payload content. In general, cryptographic algorithms are always different for the output produced by the various inputs. For two different inputs, the probability of producing the same output is extremely small (it may be smaller than the probability that I am the richest man in the world). So, let's look at the "different inputs that produce different outputs" as inevitable events.
Therefore, if someone modifies the contents of the head and the payload and then encodes it, then the signature of the new head and payload will be different from the previous signature. Also, if you do not know the server encryption when using the key, the signature will certainly be different.
Server applications once the JWT is accepted, the contents of the head and payload are first re-signed with the same algorithm. So how does the server application know which algorithm we're using? Let's not forget that we have already alg
indicated our encryption algorithm with a field in the head of JWT.
If the server application finds that the header and the load are again signed in the same way, and the signature is not the same as the signature received, then it means that the token has been moved by someone else, and we should reject the token and return an HTTP 401 unauthorized response.
Information will be exposed?
Yes.
Therefore, in a JWT, no sensitive data should be added to the load. In the example above, we are transmitting the user ID of the Subscriber. This value is actually not a sensitive content and is generally known to be safe.
But something like a password can't be put in a JWT. If you put a user's password in a JWT, a malicious third party will be able to quickly know your password by Base64 decoding.
The appropriate scenario for JWT
As we can see, JWT is suitable for passing some non-sensitive information to a web app. For example, in the above mentioned the completion of the friend operation, as well as the operation of the order, and so on.
JSON Web Token-securely pass information between Web Apps