JWT(json web token)

Definition

​ Json web token (JWT), Is a kind of implementation based on the JSON Open standards for （(RFC 7519). The token Designed to be compact and safe , Especially for single sign in of distributed sites （SSO） scene .JWT The declaration of is generally used to pass the authenticated user identity information between the identity provider and the service provider , To get resources from the resource server , You can also add some additional declaration information that other business logic requires , The token It can also be used directly for authentication , It can also be encrypted .

session Authentication and token Differences in certification

session：

We know ,http Protocol itself is a stateless protocol , This means that if the user provides a user name and password to our application for user authentication , So the next time you ask , The user has to do user authentication again , Because according to http agreement , We don't know which user made the request , So in order for our application to recognize which user made the request , We can only store one copy of user login information on the server , This login information will be passed to the browser in response , Tell it to save as cookie, So that the next request can be sent to our app , So our application can identify which user the request came from , This is the basis of tradition session authentication

token：

be based on token The authentication mechanism of is similar to http The agreement is also stateless , It doesn't need to keep the user's authentication information or session information in the server . That means based on token The application of authentication mechanism does not need to consider which server the user logs in , This facilitates the expansion of the application .

##session Disadvantages of Authentication

Session: After each user has passed our application authentication , All of our applications should be recorded on the server , In order to facilitate the identification of the user's next request , generally session It's all stored in memory , And with the increase of authenticated users , The cost of the server will increase obviously .

Extensibility : After user authentication , The server makes authentication records , If the authentication record is stored in memory , This means that the next time a user requests it, he must request it on this server , In this way, we can get the authorized resources , So in distributed applications , Accordingly, the capacity of load balancer is limited . This also means that the expansion ability of the application is limited .

CSRF: Because it's based on cookie For user identification , cookie If intercepted , Users will be vulnerable to cross site request forgery attacks .

token Action process

• The user uses the user name and password to request the server
• The server verifies the user's information
• The server is sent to the user by authentication token
• Client storage token, And attach this to every request token value
• Server side validation token value , And return the data

This token It has to be passed to the server on every request , It should be kept in the request header , in addition , The server should support CORS( Cross source resource sharing ) Strategy , Generally, we can do this on the server side Access-Control-Allow-Origin: *.

JWT The composition of the

jWT It consists of three pieces of information (), These three pieces of information together form a paragraph jwt character string , Between each part . Connect

header

​ header It contains two parts of information ：

• Declaration type

• Declare the encryption algorithm Usually used directly HMAC SH256

  Such as ：

  {
    'typ': 'JWT',
    'alg': 'HS256'
  }
  

  Then perform base64 encryption ( This encryption can constitute symmetric decryption ), Constitute the JWT The first part of
  ###payload

  The load is where the payload is stored . The name seems to refer to the goods carried on the plane , The valid information consists of three parts

  • A statement registered in the standard
  • Public statement
  • Private statement

A statement registered in the standard

iss: jwt Issuer

sub: jwt Target users

aud: receive jwt On the side of

exp: jwt The expiration time of , The expiration time must be greater than the issuing time

nbf: Define before what time , The jwt They're not available .

iat: jwt Issued on

jti: jwt Unique identity of , Mainly used as a one-off token, To avoid replay attacks .

Public statement

​ Public statements can add any information , Generally, add relevant information of users or other necessary information required by business , But it's not recommended to add sensitive information , Because this part can be decrypted on the client

Private statement

A private statement is a statement defined by both the provider and the consumer , It is generally not recommended to store sensitive information , because base64 It's symmetric decryption , It means that this part of information can be classified as clear text information .

payload Example ：

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

### Visa information (signature)

​ Visa information consists of three parts :

• header (base64 After )

• payload (base64 After )

• secret

  This part needs base64 Encrypted header and base64 Encrypted payload Use . String of connections , And then through header Adding salt in the encryption method stated in secret Combination encryption , And then it forms jwt Part three .

Be careful ：secret It's stored on the server side ,jwt The signature generation of is also on the server side ,secret It's used to do jwt And jwt Validation of the , therefore , It is the private key of your server , It should not be revealed in any scene . Once the client knows this secret, That means that the client can issue itself jwt 了 .

## advantage

• because json The generality of , therefore JWT Cross language support is available , image JAVA,JavaScript,NodeJS,PHP And many other languages can be used .

• Because of the payload part , therefore JWT It can store some non sensitive information necessary for other business logic in itself .

• Easy to transmit ,jwt It's very simple , Bytes are very small , So it's very easy to transmit .

• It doesn't need to save session information on the server , So it's easy to apply extensions

Safety related

• Should not be in jwt Of payload Some store sensitive information , Because this part is the decryptable part of the client .
• Well protected secret Private key , The private key is very important .
• If possible , Please use https agreement

Tools

• jwt.io decode ( Online parsing and decoding jwt token Tools )

• JWT Token Online code generation - ToolTT Online toolbox

• base64

• jwt.py