This is the 12th day of my participation in the August More Text Challenge. For details, see:August is more challenging

JWT profile

Json Web Token (JWT) is a JSON-based open standard (RFC 7519) for passing declarations across network application environments. The token is designed to be compact and secure, particularly suitable for single sign-on (SSO) scenarios with distributed sites. JWT declarations are generally used to pass authenticated user identity information between the identity provider and the service provider in order to obtain resources from the resource server. They can also add some additional declaration information required by other business logic. The token can also be directly used for authentication or encryption.

The principle of JWT

  • JWT Certification process:
    • The user enters the user name and password to log in. After successful authentication, the server returns a JWT to the client
    • The client saves the token locally (usually using localstorage, but can also use cookies)
    • When users wish to access a protected route or resource, Bearer mode is used to add JWT to the Authorization field of the request header, which looks like this
Authorization: Bearer <token>
Copy the code
  • The server’s protected route will check the JWT in the Authorization header and allow the user’s behavior if it is valid
  • Because JWT is self-contained (it contains some session information internally), it reduces the need to query the database
  • Since JWT does not use cookies, you can serve your API using any domain without having to worry about cross-domain resource sharing (CORS).
  • Since the user’s state is no longer stored in the server’s memory, this is a stateless authentication mechanism

The composition of JWT

The first part is called the header, the second part is called the payload, and the third part is called the signature.

header

The header of JWT carries two parts of information:

  • Declare type, in this case JWT
  • The algorithm for declaring encryption usually uses HMAC SHA256 directly

The full header looks like JSON like this:

{
  'typ': 'JWT',
  'alg': 'HS256'
}
Copy the code

The header is then base64 encrypted (which can be decrypted symmetrically) to form the first part

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
Copy the code

playload

The payload is where the useful information is stored. The name seems to refer specifically to the cargo carried on the plane, and the valid information consists of three parts

  • Declaration of registration in the standard
  • Public statement
  • Private declaration

Declarations registered in the standard (recommended but not mandatory) :

  • Iss: issued by JWT
  • Sub: The user that JWT is aimed at
  • Aud: The party that receives JWT
  • Exp: indicates the expiration time of the JWT. The expiration time must be longer than the issuing time
  • NBF: Defines the time at which this JWT is not available.
  • Iat: issue time of JWT
  • Jti: The unique identity of JWT. It is mainly used as a one-time token to avoid replay attacks.

Public declaration: A public declaration can add any information, usually user related information or other necessary information required by the business. However, it is not recommended to add sensitive information because this part can be decrypted on the client.

Private declarations: A private declaration is a declaration defined by both the provider and the consumer. It is generally not recommended to store sensitive information because base64 is sympherically decrypted, meaning that part of the information can be classified as plain text.

Define a payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}
Copy the code

This is then base64 encrypted to get the second part of Jwt.

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9
Copy the code

signature

The third part of the JWT is a visa information. This visa information consists of three parts:

  • Header (after base64)
  • Payload (after base64)
  • secret

This part requires the base64-encrypted header and the Base64-encrypted payload. The string is then encrypted by the salt-added secret combination declared in the header, and then forms part three of JWT.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cB ab30RMHrHDcEfxjoYZgeFONFh7HgQCopy the code

Difference between Token and JWT

The same:

  • Are tokens to access resources
  • Can record user information
  • Both make the server stateless
  • Yes The client can access the protected resources on the server only after the authentication is successful

The difference between:

  • Token: When verifying the Token sent by the client, the server needs to query the database to obtain user information and then verify whether the Token is valid.
  • JWT: The Token and Payload are encrypted and stored on the client. The server only needs to use key decryption for verification (the verification is also implemented by JWT itself). There is no need to query or reduce the query database, because JWT contains user information and encrypted data.