Introduction to JWT
JSON Web Token (JWT) is an open jSON-based standard (RFC 7519) implemented for the transfer of declarations between network application environments.
Abstract note from JWT RFC 7519 standardization: JSON Web Tokens are a compact, URL-safe way to represent declarations to be transmitted between two parties.
JWT usage form
JWT is generally used to pass authenticated user identity information between the identity provider and the service provider to obtain resources from the resource server, and to add some additional declarative information necessary for other business logic. The Token can also be used directly for authentication or can be encrypted.
JWT certification process
Client processing mode
-
The client does not need to hold a key. The server generates a Token through the key.
-
After the authentication succeeds, the server generates a Token based on the key held by the client. The Token usually contains the expiration period and unique user ID, such as the user ID. The server returns the Token to the client.
-
The client saves the Token returned by the server.
-
When clients perform service requests, they place tokens in the Authorization field of the Head, for example, Authorization: Bearer Token
Server processing mode
-
The server verifies the requested Token and checks whether the Token exists through Redis to solve the problem that the user is logged out but the Token is still in the validity period. If the Token exists in Redis, the user has been logged out. If the Token does not exist, the verification succeeds.
-
The server can use the unique user ID obtained from the Token to verify related permissions and assign the user ID to request parameters. Services can process services using the user ID.
-
When a user logs out, the server saves the Token within the validity period in Redis and sets the validity period correctly.
JWT structure
JWT is made up of three pieces of information:
- The first paragraph is the Header.
- The second paragraph is the Payload
- The third paragraph is Signature.
Each part of the content is a JSON object. Each section of the JSON object is BASE64 encoded, and the encoded content is used. The links together make up the JWT string. As follows:
header.payload.signature
Copy the code
Header
The header describes the most basic information about the JWT, such as its type and the algorithm used to sign it. This can also be represented as a JSON object.
{ "typ": "JWT", "alg": "HS256" }
Copy the code
Indicates in the header that the signature algorithm is HS256 algorithm.
Payload
The payload is where the useful information is stored. Valid information consists of three parts:
Declarations registered in the standard, public declarations, private declarations
-
Declarations registered in the standard (recommended but not mandatory) :
- Iss: JWT issuer
- Sub: The user JWT is targeting
- Aud: The side receiving the JWT
- Exp: indicates the expiration time of the JWT. The expiration time must be greater than the issue time
- NBF: Define before what time the JWT is unavailable
- Iat: issue time of JWT
- Jti: Unique IDENTIFIER of the JWT. It is used as a one-time token to avoid replay attacks.
-
Public declaration: A public declaration can add any information, usually about the user or other information necessary for the business. However, it is not recommended to add sensitive information because this part can be decrypted on the client side.
-
Private declarations: Private declarations are defined by both the provider and the consumer. It is generally not recommended to store sensitive information because Base64 is symmetrically decrypted, meaning that part of the information can be classified as plaintext information.
The following is an example:
{ "iss": "Online JWT Builder", "iat": 1416797419, "exp": 1448333419, "aud": "www.primeton.com", }
Copy the code
The signature (signature)
Creating a signature requires Base64 encoded headers and payload and a secret key. Use the header and payload after base64 encryption. A string of concatenated strings, salted with secret combined with the encryption declared in the header, which then forms the third part of the JWT.
For example, HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)Copy the code