Shulou(Shulou.com)06/02 Report--

This article mainly introduces what jwt refers to, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Jwt is just an acronym, and the full spelling is JSON Web Tokens. It is a popular cross-domain authentication solution, a JSON-based token token used to declare certain claims on the network.

JWT principle

Jwt authentication method is to encrypt the user information to generate token, each request server only needs to use the saved key to verify the correctness of the token, no longer need to save any session data, and then the server becomes stateless and easy to expand.

User information before encryption, such as:

{"username": "vist", "role": "admin", "expire": "2018-12-08 20:20:20"}

The token received by the client:

7cd357af816b907f2cc9acbe9c3b4625

JWT structure

A token is divided into three parts:

Head (header)

Load (payload)

Signature (signature)

Three parts are used with "." To separate, such as:

EyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Head

The header of the JWT is a JSON object that describes the metadata, usually:

{"typ": "JWT", "alg": "HS256"}

Typ is the declaration type, specifying "JWT"

Alg is the encryption algorithm. The default is "HS256".

It can also be one of the following algorithms:

Load

Payload is the carrier of data, which is used to store the data information that needs to be transmitted, and it is also a JSON object.

JWT official recommended fields:

Iss: issuer of jwt

Sub: the user for which jwt is targeted

Aud: the party that receives the jwt

Exp: the expiration time of jwt, which must be greater than the issuing time

Nbf: defines when the jwt is not available.

Iat: the issuing time of the jwt

Jti: the unique identity of the jwt, mainly used as an one-time token to avoid replay attacks.

You can also use custom fields, such as:

{"username": "vist", "role": "admin"}

Signature

The signature part is the signature of the first two parts (header, payload) to prevent data tampering.

Follow these steps to generate:

1. Specify the key (secret) first

2. Base64 the information of head (header) and load (payload) respectively.

3. Use the algorithm specified by the header (header) to encrypt

Finally, the signature (signature) = HMACSHA256 (base64UrlEncode (header) + "." + base64UrlEncode (payload), secret)

The signature obtained by the client:

Header.payload.signature

JWT can also be re-encrypted.

JWT usage

1. According to the login status of the user, the server encrypts the user information into token and returns it to the client.

2. The client receives the token returned by the server and stores it in cookie

3. Each communication between the client and the server comes with token, which can be placed in the http request header information, such as in the Authorization field.

4. The server decrypts the token, verifies the content and completes the corresponding logic.

Characteristics of JWT

JWT is more concise and more suitable for delivery in HTML and HTTP environments

JWT is suitable for one-time verification, such as activating email.

JWT is suitable for stateless authentication

JWT is suitable for server CDN distribution.

It takes less time than database Session query.

JWT does not encrypt by default

You cannot cancel the token or change the permissions of the token during use.

JWT recommends using the HTTPS protocol to transfer the code

Thank you for reading this article carefully. I hope the article "what does jwt mean" shared by the editor will be helpful to everyone? at the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.