Web Security (IX) what is JWT?

One 、 summary

JWT：Json Web Token, Is based on Json A public specification for , This specification allows us to use JWT Deliver secure information between users and servers .

When it's used, it's , The server generates a token according to the specification （token）, And distribute it to the client . At this time, when the client requests the server, it can carry the token , Prove your identity with a token .

effect ： adopt token To represent the user's identity . And use session The difference in staying logged in is ,JWT There is no need to keep certification records , Just save the secret key .

Two 、JWT The composition of the

JWT It's made up of three pieces of information , Use these three pieces of information text with a dot . Links together make up Jwt character string .

The first part is what we call the head （header), The second part is called load （payload, Similar to what is carried on an aircraft ), The third part is visa （signature)

header

jwt Two parts of information are carried in the head of ：

• Declaration type , Here is jwt
• Algorithm of declaration encryption Usually used directly HMAC SHA256

The whole head is like this JSON：

{
    
  'typ': 'JWT',
  'alg': 'HS256'
}

Then the head base64 encryption （ The encryption can be decrypted symmetrically ), It makes up the first part .

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

playload

The load is where the payload is stored . The name seems to refer to the goods carried on the plane , The valid information consists of three parts

• A statement registered in the standard
• Public statement
• Private statement

A statement registered in the standard ( Recommended but not mandatory ) ：

• iss: jwt Issuer
• sub: jwt Target users
• aud: receive jwt On the side of
• exp: jwt The expiration time of , The expiration time must be greater than the issuing time
• nbf: Define before what time , The jwt They're not available .
• iat: jwt Issued on
• jti: jwt Unique identity of , Mainly used as a one-off token, To avoid replay attacks .

Public statement ：
Public statements can add any information , Generally add relevant information of users or other necessary information required by business . But it's not recommended to add sensitive information , Because this part can be decrypted on the client side .

Private statement ：
A private statement is a statement defined by both the provider and the consumer , It is generally not recommended to store sensitive information , because base64 It's symmetric decryption , It means that this part of information can be classified as clear text information .

Define a payload:

{
    
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

And then it's done base64 encryption , obtain Jwt Part two .

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9

signature

jwt The third part of the is a visa information , This visa information consists of three parts ：

• header (base64 After )
• payload (base64 After )
• secret

This part needs base64 Encrypted header and base64 Encrypted payload Use . String of connections , And then through header Adding salt in the encryption method stated in secret Combination encryption , And then it forms jwt Part three .

// javascript
var encodedString = base64UrlEncode(header) + '.' + base64UrlEncode(payload);

var signature = HMACSHA256(encodedString, 'secret'); // TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Use these three parts with . Connect to a complete string , The final jwt:

  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Be careful ：secret It's stored on the server side ,jwt The signature generation of is also on the server side ,secret It's used to do jwt And jwt Validation of the , therefore , It is the private key of your server , It should not be revealed in any scene . Once the client knows this secret, That means that the client can issue itself jwt 了 .

3、 ... and 、 be based on session The problem of Authentication

Session: After each user has passed our application authentication , All of our applications should be recorded on the server , In order to facilitate the identification of the user's next request , generally session It's all stored in memory , And with the increase of authenticated users , The cost of the server will increase obviously . After user authentication , The server makes authentication records , If the authentication record is stored in memory , This means that the next time a user requests it, he must request it on this server , In this way, we can get the authorized resources , So in distributed applications , Accordingly, the capacity of load balancer is limited . This also means that the expansion ability of the application is limited .

Use JWT The server does not need to save authentication records , You only need to save the data returned by the server to the client on the client Token , Increased scalability .