Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of what token certification is, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value, I believe you will gain something after reading this token certification article, let's take a look at it.

The previous development model is mainly based on MVC, but with the rapid development of the Internet industry has gradually evolved into a separation of front and rear, if the project needs to do login, then token has become the only credential for the front and rear.

Token, which means sign or token, is also called token in the field of IT. It means token (temporary) in computer authentication and token in lexical analysis. It is generally used as an invitation and login system. Before we start token authentication, let's sort out the common Internet authentication mechanisms.

1. HTTP Basic Auth

There are two common kinds of HTTP Basic Auth: the first is the most common, that is, when we log on to some web pages, we will be asked to enter the user name and password; the other is to transform the user name and password information into a string through algorithms such as base64, add the auth field in the http request header, and then transmit it to the server.

This is the most primitive authentication, and the disadvantage is obvious. The password information in the http header is easy to be captured and obtained. After the user name password, the server needs to query the information in the database and compare the information, which also increases the burden on the server.

II. Session+cookie mode

Suppose we have a query web site at present, and it is impossible to log in once. In order to solve the problem of a login, you can avoid logging in for a fixed period of time, so the session+cookie mode appears. This mode uses HTTP Basic Auth when you log in for the first time. After successful authentication, in order to avoid checking the user name and password information in the database every time, store a copy of the login session information on the host computer. Record the corresponding session information in your own cookie, and save expire time in cookie.

The advantages and disadvantages of this model are obvious: session information needs additional database storage, such as redis, memached and other applications. In the case of multi-machine load, session sharing needs to be considered, but the benefits are also obvious. The unified management of session information can uniformly control the expiration time of authentication or the expiration time of individual users on the server.

III. Simple token authentication

The most commonly used application scenario for token authentication is the call to query API (RESTful API). When there is no security requirement, everyone can obtain the required information through get method or post method. However, when there is a need for security, authentication is generally needed before the required information can be obtained. In this case, after the HTTP Basic Auth,HTTP Basic Auth authentication is completed, the server can return a unique identity similar to UUID to the client, which we call token. The token can generally be added to the URL or head headers, such as the following common URL modes

Http://api,361way.com/getinfo?token=xxxxx or http://api,361way.com/getinfo?t=xxxxx, followed by the corresponding query information, can obtain the corresponding data.

The advantage of token is that the server does not need to store the corresponding information, but when the information is obtained from the middle by malicious people, it is also easy to be used to obtain data illegally.

Since the corresponding expiration time information is not returned in this simple token return string, if you want to enhance security, you can generally generate a timestamp in conjunction with the server generation. When the server receives a message from client with token, it first detects and decrypts the token to obtain the timestamp information. If the timestamp exceeds a certain time point, it is considered to have expired and needs to be reacquired.

IV. OAuth certification

OAuth (Open Authorization) is an open authorization standard that allows third-party applications to access private resources (such as photos, videos, contact lists) stored by the user on a web service without providing a user name and password to a third-party application. OAuth allows users to provide a token rather than a username and password to access the data they store with a specific service provider. Each token authorizes a specific third-party system (for example, a video editing website) to access specific resources (for example, only videos in a photo album) for a specific period of time (for example, within the next 2 hours). In this way, OAuth allows users to authorize third-party websites to access some of the specific information they store in another service provider, rather than all the content.

This is more roundabout to understand, for example, many websites have qq or Wechat login interface, qq or Wechat provides OAuth authentication. Although the name of OAuth is very foreign, its essence is still token authentication. If you carefully study whether the above words are similar in principle to the simple token authentication mentioned above, except that it adds several callback functions, take the OAuth section of QQ called by douban Douban as an example. The calling method is as follows:

# initiating authentication: http://www.douban.com/leadToAuthorize# redirects to QQ authentication and specifies callback: http://www.qq.com/authorize?callback=www.douban.com/callback# returns authorization code and callback to douban http://www.douban.com/callback 5. JWT authentication

JSON Web Token (JWT) is a very lightweight specification. This specification allows us to use JWT to communicate secure and reliable information between the user and the server. A JWT is actually a string, which consists of three parts, the Header, the Payload, and the Signature. Here is only a brief description of the theory, there will be another blog post for in-depth discussion.

What is stored in the Payload is the content in JSON format that stores the issuer, the issuance time, the expiration time, and some data information.

{"iss": "Online JWT Builder", "iat": 1416797419, "exp": 1448333419, "aud": "www.example.com", "sub": "jrocket@example.com", "GivenName": "Johnny", "Surname": "Rocket", "Email": "jrocket@example.com", "Role": ["Manager", "Project Administrator"]}

The specified storage in Header is the specified protocol JWT and the type of encryption signature. Examples are as follows:

{"typ": "JWT", "alg": "HS256"}

The final signature is to encode the information of the above two through BASE64, plus the key information, and the three are connected by dots to form a JWT token. You can compare the difference between simple token and JWT, both of which are essentially token, but JWT transmits more information in token.

This is the end of the article on "what is token Certification?" Thank you for reading! I believe that everyone has a certain understanding of the knowledge of "what is token certification". If you want to learn more knowledge, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.