What is JWT?

JSON Web Token (JWT) is a very lightweight specification. This specification allows us to use JWT to deliver secure and reliable information between the user and the server. In connection with the previous article, this is actually a cognitive mechanism of token. Many use this method for authentication today, including Shiro or Spring Security. But it’s mostly this kind of implementation, which is lightweight.

JWT composition?

A JWT is essentially a string made up of three parts, a header, a payload, and a signature.

Header

The header describes the most basic information about the JWT, such as its type and the algorithm used to sign it. This can also be represented as a JSON object. Indicates in the header that the signature algorithm is HS256 algorithm.

We BASE64 encoding http://base64.xpcha.com/ and the encoded string is as follows:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

Fact: Base64 is a representation of binary data based on 64 printable characters. Since 2 to the sixth power is equal to 64, every six bits is a cell corresponding to some printable character. Three bytes have 24 bits, corresponding to four Base64 units, that is, three bytes need to be represented by four printable characters.

JDK provides a very convenient BASE64Encoder and BASE64Decoder, with them can be very convenient to complete base64-based coding and decoding

Playload

The payload is where the useful information is stored. The name seems to refer specifically to the cargo carried on the plane, and this valid information consists of three parts:

(1) Declarations registered in the standard (recommended but not mandatory)

Iss: JWT issuer sub: JWT user aud: JWT receiving party exp: JWT expiration time, which must be greater than the issue time NBF: JWT is unavailable before the issue time defined. The unique identifier of the JWT is mainly used as a one-time token to avoid replay attacks.Copy the code

(2) Public statements

Public declarations can add any information, usually about the user or other information necessary for the business. However, it is not recommended to add sensitive information because this part can be decrypted on the client side.

(3) Private declaration

Private declarations are defined by both providers and consumers. Sensitive information is generally not recommended because Base64 is symmetrically decrypted, meaning that part of the information can be classified as plaintext information.

This refers to a custom claim. For example, in the previous structure example, admin and name belong to a custom claim. The differences between these claims and the claims stipulated by JWT standard are as follows: For the claims stipulated by JWT, the recipient of JWT knows how to verify these standard claims after getting JWT (it is not known whether they can be verified); Private claims are not validated unless the recipient is explicitly told to validate those claims and the rules.

Define a payload:

{“sub”:”1234567890″,”name”:”John Doe”,”admin”:true}

It is then base64 encoded to get the second part of Jwt. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9

Visa (Signature)

The third part of the JWT is a visa information, which consists of three parts:

Header (base64) Payload (base64) secretCopy the code

This part is used by the base64-encrypted header and the Base64-encrypted payload. A string of concatenated strings, then salted secret with the encryption method declared in the header, which forms the third part of the JWT.

TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Here we go!! Note: Secret is stored on the server side, JWT generation is also on the server side, secret is used for JWT signing and JWT authentication, so it is your server side private key and should not be disclosed in any scenario. Once the client knows about secret, it means that the client can issue the JWT itself. Then is to realize the version, see below a www.jianshu.com/p/5c79e832d…

Please give me a thumbs up if you like