Webapi_ Token-based authentication--JWT (z)

What is a JWT?

A JWT is a string that is encrypted and processed with a checksum, in the form of:

A.b.c

A is encrypted with JWT header headers
b Encryption of the authentication information JSON data used by JWT
C is obtained by A and B encryption, is the verification part

How to generate a?

The header format is:

{    "Typ": "JWT",    "ALG": "HS256"}

　　

It's a JSON string, and two fields are required, not much, no less. The alg field specifies the algorithm that generates C, and the default value is HS256
Encrypt the header with Base64 to get a
Typically, in a JWT library, a section can be pinned to death, with the user specifying a maximum alg value

How to calculate B?

Based on JWT claim set[is encrypted with Base64]. Claim set is a JSON data, a data that indicates the identity of the user, can specify the field is flexible, and there is a fixed field to indicate a specific meaning (but not necessarily include a specific field, only recommended).
Lazy here, directly with the code in PHP to represent the claim set, the meaning of the Description field:

$token = Array (    "iss" = "http://example.org",   #非必须. The issuer request entity can be the information of the user who initiated the request or the issuer of the JWT.    "IAT" = 1356999524,                #非必须. Issued at. Token creation time, UNIX timestamp format    "exp" = "1548333419",            #非必须. EXPIRE specifies the life cycle of the token. The UNIX timestamp format    "AUD" = "http://example.com",   #非必须. The party that receives the JWT.    "Sub" = "[email protected]",  #非必须. The JWT-oriented user    "NBF" = 1357000000,   # is not required. Not before. If the current time is before the time in NBF, the token is not accepted; it usually leaves some room, such as a few minutes.    "JTI" = ' 222we ',     # not required. JWT ID. Unique identifier for current token    "GivenName" = "Jonny", # custom field    "Surname" + "Rocket",  # custom field    "Email" + " [Email protected] ", # custom field    " Role "= [" Manager "," Project Administrator "] # custom field);

　　

JWT follows RFC7519, which mentions the JSON data for claim set, where the custom field key is a string,value is a JSON data. So feel free to write it, very flexible.

Individual beginner, think of a most basic simplest most common claim set is:

$token=array(    "user_id" => 123456, #用户id，表明用户    "iat" => 1356999524, #token发布时间 "exp" => 1556999524, #token过期时间);

After the claim set is encrypted B , the scientific namepayload

How to calculate C?

Will A.B use HS256 encryption (in fact the algorithm specified in the header), of course, the encryption process also requires a key (a self-specified string).
Encryption gets C , the scientific name signature , is actually a string. Acts like a CRC check to ensure there is no problem with encryption.

Okay, now it's A.B.C the token that's generated.

How do I use tokens?

Can be placed in the request header of an HTTP request, usually a Authorization field.
Some people say that cookies are put in. But the mobile app doesn't seem to be convenient with cookies.

Token application process?

1. Initial login: User first login, enter user name password
2. Password Authentication: The server removes the user name and password from the database for verification
3. Generate JWT: Server-side validation generates a JWT based on the information returned from the database, as well as the preset rules
4. Return JWT: The server's HTTP response will return JWT
5. Request with JWT: After the client initiates the request, the Authorizatio field in the HTTP REQUEST header must have a value for the JWT
   
   

Webapi_ Token-based authentication--JWT (z)