Shulou(Shulou.com)06/02 Report--

First, pain points

With the development of business, multiple business lines are connected to the IM system, and the security of the long connection of the IM system becomes very important.

Guazi has a unified login authentication system SSO,IM long-connection channel also uses this system to do security authentication, the structure is shown below.

The authentication steps are as follows

1. The user logs in to App,App to get the token issued by SSO from the business backend.

2. When App needs to use IM function, transfer token to IM customer server SDK.

3. Token is used for authentication when SDK establishes a long connection with IM Server.

4. IM Server requests SSO system to confirm the validity of token.

At first glance, there is nothing wrong with this process, but because of the particularity of IM (especially mobile IM) business, this structure is not good.

The mobile phone (mobile) network is very unstable, entering and leaving the subway may be cut off, and the mobile location may also change the base station. During a chat, a long connection is often re-established, step 3 is performed frequently, and step 4 is also performed frequently. (1) it greatly increases the pressure on the SSO system; (2) the delay caused by the longer link is harmful to the user experience (the SSO system may also be temporarily deserted).

If you do not pass step 4 to complete the verification, then this pain point will be greatly alleviated. We thought of JWT technology.

What is JWT?

This is how JWT is defined on the official website. JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and independent way to securely transfer information between parties through JSON objects. This information can be verified and trusted by a digital signature. JWT can use a password (using the HMAC algorithm) or a public / private key pair of RSA or ECDSA to sign.

What can JWT do?

1. Authorization (Authorization)

This is the most common usage scenario for JWT. Once the user logs in, each subsequent request will be accompanied by a JWT to access the routes, services, and resources allowed by the token.

JWT is now widely used in single sign-on, with little overhead and easy cross-domain.

2. Information Exchange (Information Exchange)

JWT is a good way to securely transmit information between parties. Because JWT can sign (using public / private key pairs, see "is your HTTP API signature verified correctly?" ")

You can determine the true identity of the sender. In addition, because you use headers and payload to calculate the signature, you can verify that the content has not been tampered with.

JWT data structure

JWT includes the use of "." Three separate parts: Header header Payload payload Signature signature

Header

There are usually two parts in header: the type of token and the encryption algorithm used. {"alg": "HS256", "typ": "JWT"} then use Base64Url coding for this part of the content to form the first part of the JWT structure.

Payload

The second part of Token is the payload, which contains claim. Claim is the status of some entities (usually referred to as users) and additional metadata. There are three types of claim:reserved, public and private.

Signature

Signature signs two parts of data, header and payload, and generates hashes through a specified algorithm to ensure that the data will not be tampered with.

For more information on JWT, see

Https://jwt.io/introduction/

Third, how to do verification

The process for verifying a persistent connection with JWT is as follows

1. The user logs in to App,App to get the token issued by SSO from the business backend.

2. When App needs to use IM function, transfer token to IM customer server SDK.

3. SDK sends the user name and the token obtained in step 2 to the backend JWT Server (the module that issues the jwttoken) and requests the jwttoken.

4. JWT Server verifies the validity of token through the SSO system. If it is valid, use the public / private key agreed with IM Server (or symmetric encryption), issue jwttoken according to business needs, and return it to IM Client SDK.

5. IM Client SDK uses the obtained jwttoken to request IM Server to verify the persistent connection. IM Server can verify the validity of jwttoken according to the agreed algorithm (independent of other systems).

The verification pain points that frequently establish long connections are resolved.

Fourth, shortcomings

1. The biggest disadvantage of JWT is that the server does not save session state, so it is impossible to cancel the token or change the token's permissions during use. In other words, once the JWT is issued, it will remain valid during the validity period.

2. JWT itself contains authentication information, so once the information is leaked, anyone can get all the permissions of the token. In order to reduce embezzlement, the validity period of JWT should not be set too long. For some important operations, users should authenticate every time they use them.

3. In order to reduce embezzlement and theft, JWT does not recommend using HTTP protocol to transmit code, but using encrypted HTTPS (SSL) protocol for transmission.

The following article at this address writes some scenarios that apply to JWT

Https://www.jianshu.com/p/af8360b83a9f

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.