Shulou(Shulou.com)06/02 Report--

This article introduces the knowledge of "how to use JWT in thinkphp6.0.7". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is JWT?

JWT is the abbreviation of json web token. It encrypts user information into token, and the server does not save any user information. The server verifies the correctness of the token by using the saved key and passes the verification as long as it is correct. Token-based authentication can replace the traditional cookie+session authentication method.

Login Authentication based on session

In the traditional user login authentication, because http is stateless, it uses session mode. If the user logs in successfully, the server will guarantee a session, of course, the client will give the client a sessionId, and the client will save the sessionId in the cookie, and each request will carry this sessionId.

The mode of cookie+session is usually kept in memory, and the session sharing problem faced by services from single service to multi-service increases with the increase of the number of users. This is not the case with JWT. You only need the server to generate a token, and the client saves the token. Each request carries the token, and the server can authenticate and resolve it.

JWT consists of three parts: header.payload.signature

Header section:

{"alg": "HS256", "typ": "JWT"} corresponding to the base64UrlEncode code is: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 description: this field is in json format. The alg field specifies the algorithm for generating signature. The default value is HS256, and the default value is JWT

Payload section:

{"sub": "1234567890", "name": "John Doe", "iat": 1516239022} corresponding to the base64UrlEncode code is: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ description: this field is in json format, indicating the user's identity of the data, you can customize the field, very flexible. Sub for the user, name name, iat issuance time. For example, customizable examples are as follows: {"iss": "admin", / / the issuer of the JWT "sub": "www.admin.com", / / the user "aud": "zhangsan", / / the party receiving the jwt "iat": 1535967430, / / the time of issue "exp": 1535974630 / / expiration time "nbf": 1535967430, / / do not receive and process the Token "jti": "9f10e796726e332cec401c569969e13e" / / the unique ID of the Token} before this time

Signature section:

The signature of HMACSHA256 (base64UrlEncode (header) + "." + base64UrlEncode (payload), 123456) is: the Token of JWT obtained by keH6T3x1z7mmhKL1T3r9sQdAxxdzB6siemGMr_6ZOwU is (header.payload.signature): eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.keH6T3x1z7mmhKL1T3r9sQdAxxdzB6siemGMr_6ZOwU description: the header and payload are stitched after base64UrlEncode coding. Sign the HS256 algorithm through key (123456 in this case).

JWT usage process

Initial login: the user logs in for the first time, enter the username and password to verify: the server takes the username and password from the database to verify to generate JWT: the server verifies, and according to the information returned from the database and the preset rules, generate JWT to return to JWT: the HTTP RESPONSE of the server returns the JWT to the request with JWT: when the client initiates the request later, the Authorizatio field in HTTP REQUESTHEADER should have a value to verify the JWT for the JWT server.

Jwt version

There are several versions of jwt in php: I chose the latest version. Don't ask why, when you buy electronic products, you buy new products instead of old ones.

Install jwt

1. Install using composer

Composer require lcobucci/jwt

2. Download from github

Click on me to jump to github address: https://github.com/lcobucci/jwt

Dependence

PHP 5.5+OpenSSL extension

Use

Parameter interpretation

Explain the meaning of the above parameters before using them:

Name interpretation

Iss (issuer) issuer request entity, which can be the information of the user who initiated the request or the issuer of jwt

Sub (Subject) sets the theme, which is similar to the theme when sending an email

Aud (audience) the party that receives the jwt

Exp (expire) token expiration time

Nbf (not before) the token cannot be used before the current time is set by nbf

Iat (issued at) token creation time

Jti (JWT ID) uniquely marks the current token setting

How to implement JWT with PHP

I use PHP 7.3.4, no nonsense, just go to the code, create a new jwt.php, copy and paste as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.