Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to apply JWT". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is JWT?

Json web token (JWT) is an open standard based on JSON (RFC 7519) for passing declarations between network application environments. The token is designed to be compact and secure and is particularly suitable for single sign-on (SSO) scenarios at distributed sites.

The declaration of JWT is generally used to transfer authenticated user identity information between the identity provider and the service provider in order to obtain resources from the resource server, and can also add some additional declaration information necessary for other business logic. The token can also be directly used for authentication or can be encrypted.

The composition of JWT

In the first part, we call it the header.

In the second part, we call it payload.

The third part is visa (signature).

Header:

The header of jwt carries two pieces of information:

Declare the type, this is jwt

Algorithms that declare encryption usually use HMAC SHA256 directly

The complete head looks like the following JSON:

The header is then encrypted with base64 (the encryption can be decrypted symmetrically), forming the first part.

Playload:

Load is the place where valid information is stored. The name seems to refer specifically to the goods carried on the plane, and the valid information consists of three parts.

Declaration of registration in the standard

A public statement

Private declaration

Declaration of registration in the standard (recommended but not mandatory):

Iss: issuer of jwt

Sub: the user for which jwt is targeted

Aud: the party that receives the jwt

Exp: the expiration time of jwt, which must be greater than the issuing time

Nbf: defines when the jwt is not available.

Iat: the issuing time of the jwt

Jti: the unique identity of the jwt, mainly used as an one-time token to avoid replay attacks.

Public statement:

Public statements can add any information, generally adding user-related information or other necessary information needed by the business. However, it is not recommended to add sensitive information because this part can be decrypted on the client side.

Private declaration:

Private declaration is a declaration jointly defined by providers and consumers, and it is generally not recommended to store sensitive information, because base64 is symmetrically decrypted, which means that this part of the information can be classified as plaintext.

Define a payload:

Then encrypt it with base64 to get the second part of the Jwt.

Signature:

The third part of jwt is a visa information, which consists of three parts:

Header (after base64)

Payload (after base64)

Secret

This part requires the use of base64 encrypted header and base64 encrypted payload. Concatenate the string, then encrypt the secret combination encryption through the encryption declared in the header, and then form the third part of the jwt.

Use these three parts. Concatenate into a complete string to form the final jwt:

Note: secret is stored on the server side, and the issuance and generation of jwt is also on the server side. Secret is used for jwt issuance and jwt verification.

Therefore, it is the private key of your server and should not be revealed in any scenario. Once the client knows about the secret, it means that the client can sign the jwt itself.

How to apply

Add Authorization to the request header and mark it with Token:

Headers: {'Authorization':' Token' + token

The server validates the token and returns the appropriate resource if the verification passes. The whole process goes like this:

This is the end of "how to use JWT". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.