Shulou(Shulou.com)06/02 Report--

How to use Golang to achieve a flexible JWT library, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

JWT full chen JSON Web Tokens is now widely used in a variety of front-end separation scenarios, it is more flexible than the traditional Token Session approach.

Of course, there are many open source JWT libraries on the Internet, and open source organizations also provide official libraries.

I recently wrote a JWT library myself, and the code has been uploaded to github at the following address:

Https://github.com/liu578101804/go-tool/tree/master/jwt

Compared with the famous JWT library, I do not have any advantages, just for learning to use, you are welcome to correct the shortcomings.

Next, I will tell you my idea of realization.

The principle of JWT

If we want to implement the JWT algorithm, we must first understand its principle, and I will try to explain it in short words:

The data output by the JWT algorithm is a string containing header (header information). Payload (content). Signature (signature).

Let's get a real string generated by JWT:

EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Is it suddenly clear that this string is also called token, because this string of token contains the information needed for verification, which is more flexible and independent than the traditional session which needs to go to the server to get verification information.

Because it does not rely on the traditional storage of session, it has a great advantage not to use it in distributed servers.

Of course, he also has shortcomings, the biggest headache is these two points:

It's out of control. Once the issued token can not be destroyed by him in advance, unlike the traditional, I can delete the token in my session. Next time, the token will be invalid. Of course, this is not impossible to solve, just add the blacklist mechanism to the whole system, just a little bit of trouble.

Information is not so good compared to the traditional session data volume and privacy. Because token is generally not recommended to be particularly long, the amount of data carried by payload is limited. At the same time, the payload in the string can be decrypted, so there is a definite risk of being deciphered (of course, you can use a more difficult algorithm to reduce this risk).

Algorithm composition

The composition of JWT algorithm is very simple, only need a reversible encryption algorithm to encrypt header (header information). Payload (content), an irreversible algorithm to encrypt the previous part of the content to generate signature (signature).

If we combine different encryption algorithms, we will form different JWT encryption algorithms. For example:

HS256 (HMAC + SHA-256)

RS256 (RSA + SHA-256)

Of course, there are many, you can combine yourself, we will write this library to support your customization.

Concrete realization

Let's move on to the code implementation phase:

Speaking of my design idea, Golang has a natural advantage is to support the function as a variable input, we can according to this feature of the encrypted part to the caller to implement, we put the implementation of the main line, so that our JWT will be very flexible.

The body code we are going to write is less than 100 lines without comment blank lines.

Jwt.go

Package jwt import ("encoding/json"strings"fmt") / / declare a standard JWT interface type IJwt interface {/ / set header SetHeader (string) / / set signature algorithm SetSignFunc (SignFunc) / / set encoding algorithm SetEncodeFunc (EncodeFunc) / / write body WriteBody (mapping [string] interface {}) / / generate jwt CreateJwtString () (string Error) / / verify jwt CheckJwtString (string) bool} / / Specification header format type Header struct {Type string `json: "type" `Alg string `json: "alg" `} / / signature algorithm type SignFunc func ([] byte) string / / Encoding algorithm type EncodeFunc func ([] byte) string / / declare a structure diagram to implement the standard JWT interface type Jwt struct {Header Header Body Map [string] interface {} signFun SignFunc encodeFun EncodeFunc} / / set header information Explain the signature algorithm you use func (j * Jwt) SetHeader (headerType string) {j.Header = Header {Type: "JWT", Alg: headerType }} / / set signature algorithm func (j * Jwt) SetSignFunc (signFunc SignFunc) {j.signFun = signFunc} / / set the encryption algorithm func (j * Jwt) SetEncodeFunc (encodeFunc EncodeFunc) for header and body {j.encodeFun = encodeFunc} / / write the content to be encrypted func (j * Jwt) WriteBody (body map [string] interface {}) {j.Body = body} / / generate token func (j * Jwt) CreateJwtString () (string Error) {/ / Encoding header headerByte,err: = json.Marshal (j.Header) if err! = nil {return ", err} headerStr: = j.encodeFun (headerByte) / / Encoding body bodyByte,err: = json.Marshal (j.Body) if err! = nil {return" Err} bodyStr: = j.encodeFun (bodyByte) / / signature signByte: = j.signFun ([] byte (string (headerStr) + "." + string (bodyStr)) return fmt.Sprintf ("% s.%s.%s", headerStr,bodyStr,signByte), nil} / / verify whether token is compliant func (j * Jwt) CheckJwtString (input string) bool {arr: = strings.Split (input) ".") / / whether the format is correct if len (arr)! = 3 {return false} / / signature signByte: = j.signFun ([] byte (string (arr [0]) + "." + string (arr [1])) if string (signByte)! = arr [2] {return false} return true}

This file has already written the core of JWT, and now you just need to fill it according to the encryption algorithm you want.

Let's implement the simplest RS256 algorithm and create a new bs.go file as follows:

Package jwt import ("crypto/sha256"encoding/base64"fmt") func NewRS256 () IJwt {jwtM: = Jwt {} / / Sha256 jwtM.SetSignFunc (func (bytes [] byte) string {h: = sha256.New () h.Write (bytes) return fmt.Sprintf ("% x") H.Sum (nil)}) / / base64 jwtM.SetEncodeFunc (func (bytes [] byte) string {return base64.URLEncoding.EncodeToString (bytes)}) return & jwtM}

I use base64 to encrypt header and payload, and sha256 to sign. Of course, the JWT generated by this algorithm is easy to be changed and imitated by people, and can not be used in production.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.