Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about the understanding of eight cartoons using JSON Web Token to design a single sign-on system. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

User authentication

The so-called user authentication (Authentication) is a mechanism that allows users to log in and allow users to use their accounts when they visit the site for a period of time without having to log in again.

Tip: don't confuse user authentication with user authorization (Authorization). User authorization refers to stipulating and allowing users to use their own permissions, such as posting posts, managing sites, and so on.

First, the server application (hereinafter referred to as the "application") allows users to send their user names and passwords to the server's interface through the Web form. This process is typically a HTTP POST request. The recommended way is to use SSL encrypted transport (https protocol) to prevent sensitive information from being sniffed.

Next, the application checks the user name and password with the database.

After checking the user name and password successfully, the application takes the user's id (user_id in the figure) as an attribute of JWT Payload, and signs it with the header after Base64 coding to form a JWT. The JWT here is a string in the shape of lll.zzz.xxx.

The application returns the JWT string to the user as part of the request Cookie. Note that the HttpOnly attribute must be used here to prevent Cookie from being read by JavaScript, thus avoiding cross-site scripting attacks (XSS attacks).

Before the Cookie expires or is deleted, each time the user visits the application, the application will receive a Cookie containing jwt. Thus the application can extract the JWT from the request.

The application checks the effectiveness of JWT through a series of tasks. For example, check that the signature is correct; check that the Token is out of date; and check that the recipient of the Token is yourself (optional).

After the application confirms that the JWT is valid, the JWT decodes the Base64 (which may have been completed in the previous step), and then reads the user's id value, the user_id attribute, in the Payload. The id of the user here is 1025.

The information fetched from the database to the user whose id is 1025 is loaded into memory and initialized by a series of underlying logic such as ORM.

The application responds to the user's request.

The difference between Session and Session in storing id

The biggest disadvantage of storing user id in Session mode is that it takes up a lot of server memory and may have to save a lot of state for larger applications. Generally speaking, large-scale applications also need some KV databases and a series of caching mechanisms to achieve Session storage.

The JWT method distributes the user state to the client, which can obviously reduce the memory pressure on the server. In addition to the user id, you can also store other user-related information, such as whether the user is an administrator and the bucket in which the user is located (see ["the basics of testing A 2015/08/27/introduction-to-ab-testing/ B you should know"] (/ 2015/08/27/introduction-to-ab-testing/), etc.

Although the JWT approach puts some computing pressure on the server (such as encryption, encoding, and decoding), these pressures may be more or less the same as disk Imando O. Whether to adopt it or not, we need to speak with data in different scenarios.

Single sign-on

Session is used to store the user's id. At first, the user's Session will only be stored on one server. For sites with multiple subdomain names, each subdomain name corresponds to at least one different server, for example:

Www.taobao.com

Nv.taobao.com

Nz.taobao.com

Login.taobao.com

So if we want to get Session under other subdomains after login.taobao.com login, we need to synchronize Session on multiple servers.

Using JWT does not have this problem, because the user's status has been transferred to the client. Therefore, we only need to set the domain containing the Cookie of JWT to the top-level domain, for example

one

Set-Cookie: jwt=lll.zzz.xxx; HttpOnly; max-age=980000; domain=.taobao.com

Note that domain must be set to a dot plus top-level domain, namely .taobao.com. In this way, both taobao.com and * .taobao.com can accept the Cookie and get the JWT.

The above is the eight cartoons shared by the editor to understand the use of JSON Web Token to design a single sign-on system. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.