preface

This article mainly introduces token-based identity authentication and JWT.

This is a series and can be read in the following order

  • Token-based Authentication and JWT(JSON Web Token)
  • The construction of the
  • The construction of the

The body of the

This article will first introduce Web application authentication, then introduce token-based authentication and introduce the commonly used JWT.

The identity authentication

HTTP is a stateless protocol. This means that a request is authenticated using a username and password, and the next time this page sends a request, it has to be authenticated again.

But in practice we need a mechanism to track state, and one solution is the traditional session-cookie solution.

Token-based identity authentication

In recent years, RESTful apis have become popular, using HTTP headers to pass authentication tokens seems to be the logical thing to do, and the back-end separation architecture seems to be driving more and more WEB applications to use token-based user authentication rather than the traditional cookie+session.

A token-based authentication mechanism consists of the following steps

  • The client requests login using the username and password
  • The server receives a request to verify the user name and password
  • After the authentication succeeds, the server issues a Token and sends the Token to the client
  • After receiving the Token, the client can store it, for example, in a Cookie or Local Storage
  • Each time a client requests a resource from a server, it must carry a Token issued by the server, for example, in the HTTP custom header
  • The server receives the request and verifies the Token in the request. If the verification succeeds, it returns the requested data to the client

The benefits of this approach are numerous

  • Stateless, after all, token is just a value, and for example, JWT token can carry some simple information such as userId. Unlike the mode of session, the server needs to maintain the session. If it is distributed, the problem of session sharing needs to be solved.
  • Multi-platform, multi-domain, if it is token-based authentication, you can attach the token in the HTTP custom header to transfer the identity information, so that I can use Android, IOS, WP, one time development, all-platform applicable API server. Also, cookies have domain name restrictions and can be used with some restrictions.

JWT(json web token)

Json Web Tokens are a standard for generating tokens, and from what I understand, this is probably the most used.

A JWT has three main parts

  • The header contains two parts, one of which is the token type, which is finally stored in base64 encoding. Then specify which hash algorithm is used, such as HMAC SHA256.
  • Payload is the information that you want to carry, and that part of the payload is encoded in Base64
  • Signature is used to verify whether a token is legitimate and is the key to ensuring that the token cannot be forged. The generated method is also shown below.
The composition of JWT

Asymmetric encryption of JWT

Generally, people use HmacSHA256 encryption with key when using JWT, which strictly depends on the key. In the process of distributed development, JWT is usually generated by the authentication server, and then verified by the resource server. At this time, the resource server also needs the key. Authentication services and resource services are likely to be developed and maintained by different teams, and keys are passed along in the process, which is likely to be leaked. Once the key is leaked, the other party can easily simulate a JWTtoken to get relevant information.

RSA asymmetric encryption algorithm can solve this problem well. The authentication server uses the private key to generate JWT, the resource server uses the public key to verify JWT, and the authentication service manages the private key. The public key is open to all resource services, so the possibility of key leakage is greatly reduced.

Postscript (Late update)

Refresh Token(to be added)

The advantages of token-based authentication have also been discussed, but is this method universal?

Do not use -jwt – for session management of -web – applications

stop-using-jwt-for-sessions

Stop using JWT for sessions, part 2: Why your solution doesn’t work