What is the JWT

Json Web Token (JWT) is a JSON-based development standard (RFC 7519) implemented for the transfer of declarations between network application environments. The token is designed to be compact and secure, especially suitable for single sign-on (SSO) scenarios in distributed sites. The JWT declaration is generally used to pass authenticated user identity information between the identity provider and the service provider to obtain resources from the resource server, and to add some additional declaration information necessary for other business logic. The token can also be used directly for authentication or can be encrypted.

Why JWT

We know that HTTP protocol is stateless. Generally, for user authentication, the process is as follows:

1. The client sends the user name and password to the server. 2. After the authentication succeeds, the server saves the user information in the current session. 3. The server sends a session_ID to the client as the session credential and writes cookies to the client. 4. The user obtains the session_ID from the cookie and sends it to the server at each request; Session_id = session_id;

Disadvantages of session authentication:

  • Hard to expand the user authentication, the service side, certification records if certification records are stored in the memory, this means that the next time the user request must also request on this server, so as to get authorization of resources, so that in a distributed application, the response of restrictions on the ability of the load balancer, also means that limit the scalability of the application.

  • CSRF is based on cookies for user identification. If cookies are intercepted, users will be vulnerable to cross-site request forgery.

JWT principle

Token-based authentication is similar to HTTP and is stateless. It does not need to retain user authentication information or session information on the server. This means that applications with toKent authentication don’t need to consider which server the user is logging in to, making it easier to scale.

  • The user requests the server with an account and password;
  • The server verifies user information;
  • After the authentication succeeds, the server returns the unique token to the client.
  • The client saves the token and carries it with it each time it requests.
  • The server validates the token and returns data;

This token must be sent to the server on every request, it should be stored in the request header, and the server should support the CORS (Cross-source resource sharing) policy. Access-control-allow-origin: * is usually done on the server side

The composition of JWT

JWT is composed of three parts, and these three pieces of information text are linked to form a JWT string. Like this

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
eyJVc2VySWQiOjEyMywiVXNlck5hbWUiOiJhZG1pbiJ9.
Qjw1epD5P6p4Yy2yju3-fkq28PddznqRj3ESfALQy_U
Copy the code

The first part we call the header, the second part we call the payload, the third part we call the visa, the signature

Header

The header of the JWT carries two pieces of information:

  • Declare type, in this case JWT
  • Declare the encryption algorithm, usually directly use HMAC SHA256
{
 'typ':'JWT'.'alg':'HS256'  
}
Copy the code

Base64 encryption of the header, which can be decrypted symmetrically, then forms the first part

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
Copy the code

plyload

The Payload part is also a JSON object that stores the data that needs to be transmitted. JWT specifies seven official fields to choose from.

  • Iss (Issuer) : indicates the issuer
  • Exp (expiration Time) : expiration time
  • Sub (subject) : indicates the topic
  • Aud (audience) : Audience
  • NBF (Not Before) : indicates the effective time
  • Iat (Issued At) : time of issue
  • Jti (JWT ID) : indicates the ID

Signature

The Signature section is a Signature to the first two sections, preventing data tampering.

First, you need to specify a secret. This key is known only to the server and cannot be disclosed to users. Then, using the signature algorithm specified in the Header (HMAC SHA256 by default), generate the signature as follows.

HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)    
Copy the code

Note: Secret is stored on the server side, JWT is issued on the server side, secret is used for JWT issuance and JWT authentication, so it is your server’s private key and should not be disclosed in any scenario. Once the client knows this secret, it means that the client can issue the JWT itself

In general, the Authorization has been added to the header of the request and the Bearer has been labeled:

fetch(‘api/user/1’, {

    headers: {
      'Authorization': 'Bearer ' + token
    }
  })
Copy the code

conclusion

  • Due to json’s versatility, JWT is supported across languages like C#, JavaScript, NodeJS, PHP, and many more
  • Because of the payload part, the JWT can store non-sensitive information on itself that is necessary for other business logic
  • Easy to transport, JWT is very simple to build and has a small byte footprint, so it is very easy to transport
  • It does not need to store session information on the server, so it is easy to apply extensions
  • Sensitive information should not be stored in the Payload section of the JWT, because this is the part that the client can decrypt
  • Protect the secret private key. The private key is very important
  • If yes, use HTTPS

Github.com/huzhao0316/…