Shulou(Shulou.com)06/03 Report--

Reference: https://jwt.io/introduction/

The single sign-on is a single sign-on system based on Goto language. Here is a brief introduction to JWT.

Brief introduction of JSON Web Token

JWT is an open standard (RFC 7519) that defines a compact and self-contained way to securely transfer information as JSON objects between parties. This information can be verified and trusted by digital signatures. JWT can be signed using a secret (using the HMAC algorithm) or using RSA's public / private key pair.

Compact: because of their small size, JWT can be sent through the URL,POST parameter or within the HTTP header. In addition, a smaller size means faster transmission.

Self-contained: the payload contains all the necessary information about the user, avoiding the need to query the database multiple times.

JSON Web Token application scenario

Authentication (Authentication): this is the most common case of using JWT. Once the user logs in, each subsequent request will include a JWT, allowing the user to access the routes, services, and resources allowed by the token. Single sign-on is a feature of JWT that is widely used today because it has little overhead and can be easily used in different domains.

Information exchange: JSON Web Tokens is a good way to securely transmit information between parties. Because JWT can be signed, such as using a public / private key pair, you can be sure that the sender is the person they say it is. In addition, because you use headers, payloads, and calculate signatures, you can verify that the content has not been tampered with.

JWT structure

JSON Web Tokens contains three parts separated by dots (.). They are: header, payload, signature.

The JWT usually looks like this.

Xxxxx.yyyyy.zzzzz

Header header

The header usually consists of two parts: the type of token (that is, JWT) and the hashing algorithm being used (the hashing algorithm such as HMAC SHA256 or RSA).

For example:

{

"alg": "HS256"

"typ": "JWT"

}

The JSON is then encoded by Base64Url to form the first part of the JWT.

Payload

The second part of the token is the payload that contains the declaration. A declaration is a declaration about entities (usually users) and additional metadata. There are three types of declarations: reserved, public and private.

Reserved statement (Reserved claims): this is a set of predefined declarations that are not mandatory, but are recommended to provide a set of useful, interoperable declarations. Some of them are: iss (publisher), exp (expiration time), sub (theme), aud (audience), and so on.

Note that the declaration name is only three characters long because JWT is compact.

Public statement (Public claims): these can be arbitrarily defined by people who use JWT. However, to avoid conflicts, you should define them in the IANA JSON Web token registry or as URI that contains anti-collision namespaces.

Private statement (Private claims): this is a custom claims created to agree to share information between the parties that use them.

An example of a payload can be:

{

"sub": "1234567890"

"name": "John Doe"

"admin": true

}

The payload Base64Url is then encoded to form the second part of the JSON Web token.

Signature

To create the signature part, you must use the encoding header, the encoding payload, the key, the algorithm specified in the header, and the signature.

For example, if you want to use the HMAC SHA256 algorithm, the signature will be created as follows:

HMACSHA256 (

Base64UrlEncode (header) + "."

Base64UrlEncode (payload)

Secret)

The signature is used to verify who the sender of the JWT is and to ensure that the message does not change along the way.

Spliced together

The output is three dot-separated Base64 strings that can be easily passed in HTML and HTTP environments, but are more compact than XML-based standards such as SAML.

A JWT is shown below, with the previous header and payload code, and signed secretly.

How JSON Web Token works

In authentication (authentication), when a user successfully logs in with their credentials (credentials), a JSON Web Token is returned and must be saved locally (usually in local storage, but you can also use Cookie), rather than creating a session server and returning a cookie in the traditional method.

Whenever a user wants to access a protected route or resource, the user agent should send a JWT, usually in Bearer mode in the Authorization header. The contents of the header should look like this:

Authorization: Bearer

This is a stateless authentication mechanism because the user state is never saved in the server memory. The protected route for the server checks for a valid JWT in the authorization header and, if present, allows the user to access the protected resource. Because JWT is independent, all the necessary information is there, reducing the need to query the database multiple times.

This allows you to rely entirely on stateless data API and even make requests to downstream services. No matter which domain is serving your API, cross-source resource sharing (CORS) will not be a problem because it does not use cookie.

The following figure shows this process:

Why should we use JWT

Let's talk about the benefits of Web tokens (JWT) over simple JSON Web tokens (SWT) and Security statement markup language tokens (SAML).

Because JSON is not as verbose as XML, it is also smaller in size when coding, making JWT more compact than SAML. This makes JWT a good choice for delivery in HTML and HTTP environments.

In terms of security, SWT can only sign symmetrically by using the shared secret of HMAC algorithm. However, JWT and SAML tokens can be signed with a public / private key pair in the form of an X.509 certificate. Compared with the simplicity of signing JSON, it is very difficult to sign XML with XML digital signature without introducing vague security vulnerabilities.

JSON parsers are common in most programming languages because they map directly to objects. In contrast, XML has no natural document-to-object mapping. This makes it easier to use JWT than SAML assertions.

As for usage, JWT is used on the Internet. This highlights the ease of client processing of JSON Web tokens on multiple platforms, especially mobile platforms.

Go language actual combat project code

Mobile number + CAPTCHA, mailbox + CAPTCHA, and Wechat third-party authorization are supported.

Support mobile phone number, user name, email number, Wechat login

Support mobile phones and mailboxes to retrieve passwords

Support Aliyun Communication and Mutual 100 million Wireless SMS CAPTCHA service

Code path: https://github.com/KenmyZhang/single-sign-on

Package api

Import ("net/http"regexp"strconv"fmt" l4g "github.com/alecthomas/log4go"github.com/KenmyZhang/single-sign-on/app"github.com/KenmyZhang/single-sign-on/model"github.com/KenmyZhang/single-sign-on/utils"github.com/KenmyZhang/single-sign-on/sqlStore") func InitUser () {l4g.Debug (utils.T ("api.user.init.debug")) BaseRoutes.User.Handle ("" ApiCustomClaimsRequired (getUser). Methods ("GET") BaseRoutes.User.Handle ("/ image", ApiHandler (getProfileImage)). Methods ("GET") BaseRoutes.User.Handle ("/ image", ApiCustomClaimsRequired (setProfileImage)). Methods ("POST") BaseRoutes.Users.Handle ("/ login", ApiHandler (login)). Methods ("POST") BaseRoutes.Users.Handle ("/ logout", ApiHandler (logout)). Methods ("POST") BaseRoutes.Users.Handle ("/ sendsms") ApiHandler (sendSmsCode). Methods ("POST") BaseRoutes.Users.Handle ("/ phone/signup", ApiHandler (signupByMobile)). Methods ("POST") BaseRoutes.Users.Handle ("/ phone/login", ApiHandler (loginByMobile)). Methods ("POST") BaseRoutes.Users.Handle ("/ phone/exist", ApiHandler (isMobileExist)). Methods ("POST") BaseRoutes.Users.Handle ("/ phone/reset") ApiHandler (resetPasswordByMobile). Methods ("POST") BaseRoutes.Users.Handle ("/ email/verify/code/send", ApiHandler (sendVerificationCodeEmail)). Methods ("POST") BaseRoutes.Users.Handle ("/ email/signup", ApiHandler (signupByEmail)). Methods ("POST") BaseRoutes.Users.Handle ("/ email/exist", ApiHandler (isEmailExist)). Methods ("POST") BaseRoutes.Users.Handle ("/ email/reset") ApiHandler (resetPasswordByEmail). Methods ("POST") BaseRoutes.Users.Handle ("/ search", ApiCustomClaimsRequired (searchUsers)). Methods ("POST")}.

Recommend an article

Https://www.cnblogs.com/lyzg/p/6132801.html

Https://studygolang.com/articles/11793

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.