The definition and use environment of Json Web token __js

Source: Internet
Author: User
Tags base64 hmac reserved
What is a JSON Web Token?The Json Web Token (JWT) is an open standard (RFC7519) that defines a simple and independent way to securely transfer information between parties to a JSON object. This information can be verified and trusted by digital signatures. The JWT can be signed using either a Secret (HMAC algorithm) or a public/private key pair with RSA JWT. Further explain some of the concepts of this definition.
Compact:Because of its smaller size, JWT can be sent by Url,post parameters or HTTP headers. In addition, a smaller size means fast transmission. independent of:The payload contains all the necessary information about the user, avoiding the need to query the database multiple times. when you should use the JSON Web token. Certification:This is the most common case of using JWT. Once the user logs on, each subsequent request will include JWT, allowing the user to access the routes, services, and resources that the token allows. Single sign-on is a widely used JWT feature because it is very inexpensive and can be easily used in different domains. Information exchange:JSON Web tokens are a good way to securely transfer information between parties because it can be signed, such as using a public/private key pair, and you can determine the authenticity of the sender. In addition, you can verify that the content has not been tampered with when the signature is computed using header and payload. the structure of the JSON Web token

A JWT is actually a string that consists of three parts, a header (header), a payload (Payload), and a signature (Signature).
JWT is usually shown as follows: Xxxxx.yyyyy.zzzz header (header)

Headers typically consist of two parts: the type of token, the JWT, and the hash algorithm used, such as HMAC SHA256 or RSA.

{
  "alg": "HS256",
  "Typ": "JWT"
}

For BASE64 encoding, the following string becomes the header (head) of the JWT: payload (Payload)

The second part of token is payload, which contains the attributes we declare (claims), and claims is the declaration of entities (usually users) and additional metadata. There are three types of claims: reserved, public, and private. We can first describe the user-authenticated operation as a JSON object. Some additional information is added to help you receive this JWT server in the future to understand this JWT.
1. Reserved claims: This is a predefined set of properties that are not enforced but are recommended for use.

{
    "sub": "1",
    "ISS": "Http://localhost:8000/auth/login",
    "IAT": 1451888119,
    "exp": 1454516119,
    "NBF": 1451888119,
    "JTI": "37c107e4609ddbcc9c096ea5ee76c667"
}

The first 6 fields are defined by the JWT standard. Sub: The user ISS to which the JWT is oriented: the issuer of the JWT IAT (issued at): when the token exp (expires) is issued: token when expires NBF (not before): Token cannot be received before this time JTI:JWT ID provides unique identification for Web token

Public claims: These can be freely defined by the person who uses JWT
Private Claims:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

The above JSON object is Base64 encoded to form the second part of the JSON Web token. Base64 is a code, that is to say, it can be translated back to the original appearance. It is not an encryption process. (signature) Signature

The signature part needs to use the Base64 encoded header and the Base64 encoded payload and a secret, using the algorithm defined in the header to encrypt

HMACSHA256 (
  Base64urlencode (header) + "." +
  Base64urlencode (payload),
  secret)

The string to be encrypted is the third part of the token. The signature (Signature) is used to verify the authenticity of the sender of the JWT and to ensure that the message has not changed. the complete JWT

The complete Tiken is a three Base64 encoded string, dotted and easily delivered in HTML and HTTP environments, and is easier to transmit than xml-based standards such as SAML.

about how to achieve JWT with Java, I will in the future articles for you to explain

References: Http://www.tuicool.com/articles/IRJnaa
https://jwt.io/introduction/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.