JSON Web Tokens (JWT)

Source: Internet
Author: User

Tags: Head official website hub ABI turn convenient definition return utils

    • JWT is available across different languages, and JWT can be used in. NET, Python, node. js, Java, PHP, Ruby, Go, JavaScript, and Haskell
    • JWT is self-contained and contains all the necessary information, which means that JWT can deliver basic information about itself, such as user information and signatures.
    • JWT delivery is easy because JWT is self-contained, they can be perfectly used in HTTP headers, and when an authorization API is required, you can just pass it through a URL.

The JWT is easy to identify and is a three-part string of decimal points:


The meanings of these three parts are header,payload, signature


The head contains two aspects: the type and the hashing algorithm used (such as HMAC SHA256):

{"Typ": "JWT", "ALG": "HS256" } 

To encode this JSON character Base64Encode, we have the first JWT:



The second part of JWT is payload, also known as JWT Claims, where we need to transfer information that has multiple items such as registered claim name, public claim name and private claim name.

The registered claim name has the following sections:

    • Publisher of the Iss:token
    • Sub:token's Topic
    • Aud:token's Customers
    • Exp: often used to define the expiration period in digital time, that is, the token fails at some time after the current time.
    • NBF: The JWT will not accept processing until this time is defined. Start effective time
    • IAT:JWT release time, can be used to determine the age of JWT
    • JTI:JWT unique identification. Can be used to prevent the JWT from being reused, using only one token at a time, and if the value of this claim is "1" at the time of issuance, validation fails if the value of this claim is not "1".

Public claim names are used to define the information we create, such as user information and other important information.

The private claim name is used by both the publisher and the consumer to agree to use the claim name in a private way.

Here is a case of JWT:

{"ISS": "Scotch.io", "exp": 1300819380, "name": "Chris Sevilleja"true }   


JWT The third part is the signature, and the signature consists of the following components:

    • Header
    • Payload
    • Secret key

Here's how we get to the third part of JWT:

var encodedstring = Base64urlencode (header) + "." + base64urlencode (payload); HMACSHA256 (encodedstring, ' secret ');

The secret here is signed by the server, and our server is able to verify the existing token and sign the new token.

The algorithms supported by TWT are:


The above is the theoretical part of the official website, the following will provide some examples:

Import Dependencies First:

<dependency>    <groupId>com.auth0</groupId>    <artifactid>java-jwt</artifactid >    <version>3.2.0</version></dependency>

1, specify the encryption algorithm:

hmacalgorithm ALGORITHMHS = algorithm.hmac256 ("secret");

Map<string,object> Keys=rsautils.getkeys ();
Rsapublickey PublicKey = (rsapublickey) keys.get ("public"); Get the key instance
Rsaprivatekey Privatekey = (rsaprivatekey) keys.get ("private");//get the key instance
Algorithm Algorithmrs = algorithm.rsa256 (PublicKey, Privatekey);

2, Generate tokens

Generate tokens with HS256

Try {    algorithm algorithm = algorithm.hmac256 ("secret");    String token = jwt.create ()        . Withissuer ("Auth0")        catch//catch//Invalid Signing configuration/couldn ' t convert Claims.}        

Generate tokens with RS256

 map<string,object> keys=rsautils.getkeys (); Rsapublickey PublicKey = (rsapublickey) keys.get ("public"); //get the key instance Rsaprivatekey Privatekey = (rsapri Vatekey) Keys.get ("private"); //get the key Instancetry< Span style= "COLOR: #000000" > {algorithm algorithm = algorithm.rsa256 (PublicKey, Privatekey); String token = Jwt.create (). Withissuer ("Auth0" catch (Jwtcreationexception exception) {//invalid Signing configuration/couldn ' t convert Claims.}   

3, verify Token

1) General validation

Verifying tokens with HS256

String token = " Eyjhbgcioijiuzi1niisinr5cci6ikpxuyj9.eyjpc3mioijhdxromcj9.abijtdmfc7yua5mhvcp03njpycpzztqcgep-zwfokee "; try {algorithm algorithm = algorithm.hmac256 ("Secret"    Span style= "color: #000000"); Jwtverifier verifier = Jwt.require (algorithm). Withissuer ("Auth0" //reusable verifier instance DECODEDJWT JWT = verifier.verify (token);} catch (Unsupportedencodingexception exception) {//UTF-8 encoding not supported}  Catch (Jwtverificationexception exception) {//invalid signature/claims}          

Verifying tokens with RS256

String token = " Eyjhbgcioijiuzi1niisinr5cci6ikpxuyj9.eyjpc3mioijhdxromcj9.abijtdmfc7yua5mhvcp03njpycpzztqcgep-zwfokee "; Rsapublickey PublicKey = //get the key Instancersaprivatekey Privatekey = //get the key instance< Span style= "COLOR: #0000ff" >try {algorithm algorithm = algorithm.rsa256 (PublicKey, Privatekey); Jwtverifier verifier = Jwt.require (algorithm). Withissuer ("Auth0" //reusable verifier instance DECODEDJWT JWT = verifier.verify (token);} catch (Jwtverificationexception exception) {//invalid signature/claims}      

2) in payload it is possible to customize the data for verification, including time and so on.

Specify the data when generating tokens:

@TestPublicvoid Gen1 ()ThrowsIOException {String token = ""; SimpleDateFormat SDF =New SimpleDateFormat ("Yyyy-mm-dd HH:mm:ss");//Date to string Calendar calendar =Calendar.getinstance (); Calendar.add (calendar.second,30);//Date of the year after the specified time date =Calendar.gettime ();Try{Algorithm algorithm = algorithm.hmac256 ("Mysecrite"); token = Jwt.create (). Withissuer ("Auth0" new integer[]{1, 2, 3}). Withexpiresat (date). Sign (algorithm); System.out.println ("Loglogagel:" +token);} catch (Unsupportedencodingexception exception) {//UTF-8 encoding not supported}  Catch (Jwtcreationexception exception) {//invalid Signing configuration/couldn ' t convert Claims. }}             /span>   

Verify that token is out of date, and that there are any established

@TestPublicvoidGen3 () {String token = " Eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpc3mioijhdxromcisimv4cci6mtq5nzy4ntqwox0.dhy-90jaa63_ Tvi-grz2ohciitmajb45zb1tdchq_nq ";Try{Algorithm algorithm = algorithm.hmac256 ("Mysecrite"); Jwtverifier.baseverification verification =(jwtverifier.baseverification) Jwt.require (algorithm). Withissuer ("Auth0"). Withsubject ("Xiaomong"); Clock Clock =NewClock () {@OverridePublicDate Gettoday () {ReturnNewDate (); } };//must implement Clock interface Jwtverifier verifier =< Span style= "COLOR: #000000" > Verification.build (clock); DECODEDJWT JWT = verifier.verify (token); System.out.println (Jwt.getalgorithm ()); System.out.println (Jwt.gettype ()); System.out.println (Jwt.getissuer ()); System.out.println (Jwt.getexpiresat ()); } catch (Unsupportedencodingexception exception) {//utf-8 encoding not Supported Exception.printstacktrace (); } catch (Jwtverificationexception exception) {//invalid signature/claims Exception.printstacktrace (); }}

If the subject validation is inconsistent, the following error is reported:

If the time exceeds 30 seconds, the following error will be reported:

A slight modification of the method of validation:

@TestPublicvoidGen3 () {String token = " Eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjzdwiioij4awfvbwluzyisimfycmf5ijpbmswyldndlcjpc3mioijhdxromcisim5hbwuioijjyw0gcmln AHQGZNJVBSBJBGFPBSISIMV4CCI6MTQ5NZY4OTQ4NX0.6LSXISVAGI8B2WAVAZQ4TJ-H9PGD6GGAOYZLZ_GPFMU ";Try{Algorithm algorithm = algorithm.hmac256 ("Mysecrite"); Jwtverifier.baseverification verification =(jwtverifier.baseverification) Jwt.require (algorithm). Withissuer ("Auth0"). Withsubject ("Xiaoming"); Clock Clock =NewClock () {@OverridePublicDate Gettoday () {ReturnNewDate (); } };//Must implement Clock interface Jwtverifier verifier =Verification.build (clock); DECODEDJWT JWT =Verifier.verify (token); Map<string, claim> claims = Jwt.getclaims ();//Key is the Claim name Claim Claim = Claims.get ("name"); System.out.println (Claim.asstring ()); // print out the value of claim System.out.println (Jwt.getalgorithm ()); System.out.println (Jwt.gettype ()); System.out.println (Jwt.getissuer ()); System.out.println (Jwt.getexpiresat ()); } Catch (Unsupportedencodingexception exception) { //UTF-8 encoding not supported  Exception.printstacktrace (); } Catch (Jwtverificationexception exception) { //Invalid signature/claims  Exception.printstacktrace (); }

The final result after validation:

4,claim Add, get

1) The built-in payload mainly have the following, if not return null

Issuer ("ISS"): Publisher

String issuer = Jwt.getissuer ();
Subject ("Sub")
String subject = Jwt.getsubject ();
Audience ("AUD")
List<string> audience = Jwt.getaudience ();
Expiration Time ("exp")
Date Expiresat = Jwt.getexpiresat ();
Not before ("NBF")
Date Notbefore = Jwt.getnotbefore ();
Issued at ("IAT")
Date Issuedat = Jwt.getissuedat ();
String id = jwt.getid ();

2) define a private claim

Add to:

String token = jwt.create ()        . Withclaim ("name", 123)        new Integer[]{1, 2, 3})        . sign ( algorithm);   


Jwtverifier verifier = jwt.require (algorithm). Withclaim ("    name", 123)    . Witharrayclaim ("Array", 1, 2 , 3)    . Build ();D ECODEDJWT JWT = verifier.verify ("My.jwt.token");  

Currently, the officially supported claim types are: Boolean, Integer, Double, String, Date, string[], and Integer.

5, Header Claims

1) header claims is the definition of the header part of the content, basically is the default definition, do not need to set up, built-in has:

Algorithm ("ALG")
String algorithm = Jwt.getalgorithm ();
Type ("Typ")
String type = Jwt.gettype ();
Content Type ("Cty")
String ContentType = Jwt.getcontenttype ();
Key Id ("Kid")
String keyId = Jwt.getkeyid ();

2) Add:

New HashMap (); Headerclaims.put ("owner", "Auth0"); String token = jwt.create ()        . Withheader (headerclaims)        . sign (algorithm);  

3) Get:

Claim Claim = Jwt.getheaderclaim ("owner");

Summary: Look at some other people's blog, found that their APIs are relatively old version, the generation of tokens is step by step, the new is really simple and convenient many. Sharing is here, welcome to exchange.

Additional Reference Links:


JSON Web Tokens (JWT)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: