With the rise of the Internet, the security requirements for Web service applications are getting higher and higher. In the development mode of front-end and back-end separation, the server uses a specific encryption method to generate tokens, and the client stores the tokens as authorization and transmits them to the server. Information such as identity authentication is a way to ensure security. JWT (JSON Web Token), a lightweight authentication method used to transfer information between communication parties in the form of JSON objects, is favored by more and more developers.
What is authentication
Without authentication information, others can easily call the API to manipulate our data. The following figure shows a common authentication process. The client enters the user name and password, and the server generates a token (the token can be non-sensitive information that can only be identified by the user through authentication and encryption). The token is then returned to the browser client. When the client accesses the server again, it carries the token information. The server uses the same authentication mode to authenticate the token. After the token authentication is consistent, perform specific operations.
application
I need to generate tokens using JSON information and JWT authentication.
{
"name": "scar"."role": "admin"."expirationData": "The 2018-10-24 17:05:00"
}
Copy the codeJWT authentication
JWT consists of three parts.
1. The head the Header
It is in json format and specifies the encryption algorithm (ALG) and token type (TYP).
2. Valid information Payload
It is in json format. Optional parameters for registration and information to be encrypted are provided in the following table.
Payload Official This parameter is optional
| Optional parameters | describe |
|---|---|
| iss | JWT issued to |
| sub | The users JWT is targeting |
| aud | The party receiving the JWT |
| exp | The expiration date of the JWT must be greater than the issue time |
| nbf | Define before what time the JWT is unavailable |
| iat | Issue time of JWT |
| jti | The unique identifier of the JWT is mainly used as a one-time token to avoid replay attacks |
3. Sign signature
Header and Payload are processed to prevent information from being tampered.
Before_sign = base64UrlEncode(Header). Base64UrlEncode (Payload). Connect the middle with an English period. Before_sign is used as the first parameter of the encryption function, and Secret Salt (Salt) is used as the second parameter of the encryption function. Encryption is performed using the ALG encryption method defined in the Header. Finally, before_sign and encrypted before_sign are connected with English periods. final_sign=before_sign+’.’+HS256(before_sign, secretSalt);
Implemented code
First, CryptoJS and JSRsasign are introduced.
// It is different from normal Base64 encryptionfunction base64UrlEncode(str) {
var encodedSource = CryptoJS.enc.Base64.stringify(str);
var reg = new RegExp('/'.'g');
encodedSource = encodedSource.replace(/=+$/,' ').replace(/\+/g,The '-').replace(reg,'_');
return encodedSource;
}
let header = JSON.stringify({
"alg": "HS256"."typ": "JWT"
})
let payload =JSON.stringify({
"name": "scar"."role": "admin"."expirationData": "The 2018-10-24 17:05:00"
});
let secretSalt = "user";
let before_sign = base64UrlEncode(CryptoJS.enc.Utf8.parse(header)) + '. ' + base64UrlEncode(CryptoJS.enc.Utf8.parse(payload));
let signature =CryptoJS.HmacSHA256(before_sign, secretSalt);
signature = base64UrlEncode(signature);
let final_sign = before_sign + '. '+ signature; //final_sign:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoic2NhciIsInJvbGUiOiJhZG1pbiIsImV4cGlyYXRpb25EYXRhIjoiMjAxOC 0xMC0yNCAxNzowNTowMCJ9.bVc48JsxiM7ZZgtZch1QnRpLyt08M9LepwoLvs_aejICopy the code
Use eoLinker for validation
Fill in the information of the response. Here I put the JWT authentication token in the Authorization of the request header.
Click test and get the same result as our encryption function
