JWT认证原理

简介:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

是一种小巧的、自包含的JSON对象,用于两个端系统之间的安全传输,它是一种数字标签,它可以使用了一种严格的算法进行签名,或者使用公钥和私钥的形式进行签名

JWT的使用场景

  • Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.↳

  • Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

1、授权: 比如在web应用当中我们通常需要使用到授权,来给授权用户进行访问相应的路由、服务和资源

2、信息的交换:因为JWT是被签名的,所以能够非常安全的在端系统之间传输消息,通过JWT你可以确认发送者和内容是否被篡改

JWT的结构

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:↳

  • Header

  • Payload

  • Signature

Therefore, a JWT typically looks like the following.

xxxxx.yyyyy.zzzzz

Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.↳

For example:

{
  "alg": "HS256",
  "typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.↳

  • Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.

  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

  • Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

An example payload could be:↳

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

The payload is then Base64Url encoded to form the second part of the JSON Web Token.

Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.↳

For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

Putting all together

The output is three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.

The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret.

Encoded JWT

JWT是如何工作的

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned. Since tokens are credentials, great care must be taken to prevent security issues. In general, you should not keep tokens longer than required.

一般就是用户成功获取到资格后,服务器需要返回一个JWT,用户进行保存,当时注意JWT的保存时间,需要在特定时间进行删除,若用户需要再次获取,经过上一个步骤

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:↳

Authorization: Bearer <token>

当我们请求受保护的路由和资源的时候需要再请求中携带JWT,典型的就是在请求头中设置Authorization字段,如上

This can be, in certain cases, a stateless authorization mechanism. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources. If the JWT contains the necessary data, the need to query the database for certain operations may be reduced, though this may not always be the case.

Note that if you send JWT tokens through HTTP headers, you should try to prevent them from getting too big. Some servers don't accept more than 8 KB in headers. If you are trying to embed too much information in a JWT token, like by including all the user's permissions, you may need an alternative solution, like Auth0 Fine-Grained Authorization.

如果你携带了JWT,服务器的保护路由将会检查你头部的Authorization是否携带了一个真确的JWT,如果有就会放行,如果你JWT包括了一些必要的数据,比如userid 或者 username 对于某些操作,你就可以不需要去进行数据库的查询了,当是不能够让Http请求的头部较大,大部分的服务器接收的请求头不能操作8KB

If the token is sent in the Authorization header, Cross-Origin Resource Sharing (CORS) won't be an issue as it doesn't use cookies.

此处它指出,JWT并不需要使用cookies,所以能解决跨域问题,更适用于前后端分离的项目当中

The following diagram shows how a JWT is obtained and used to access APIs or resources:

How does a JSON Web Token work

  1. The application or client requests authorization to the authorization server. This is performed through one of the different authorization flows. For example, a typical OpenID Connect compliant web application will go through the /oauth/authorize endpoint using the authorization code flow.

  2. When the authorization is granted, the authorization server returns an access token to the application.

  3. The application uses the access token to access a protected resource (like an API).

Do note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it. This means you should not put secret information within the token.

JWT官网

我之前使用Node.js去实现过,后续会将实现代码进行一个补充

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/495323.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

windows-MySQL5.7安装

1.安装包下载 https://downloads.mysql.com/archives/community/&#xff08;社区版下载链接&#xff09; 选择Archives可以下载历史包&#xff0c;此处使用5.7.43 2.解压文件 解压文件到你指定安装的目录&#xff1a;解压完成后在mysql-5.7.43-winx64下新建文件my.ini和d…

护眼台灯哪个牌子最好?五款骨灰级硬核机型推荐!

在快节奏的现代生活中&#xff0c;保护视力、提升学习和工作效率都离不开一盏优质的护眼台灯。然而&#xff0c;市面上的护眼台灯品牌琳琅满目&#xff0c;让人在选择时感到迷茫。为了帮助大家找到最适合自己的护眼台灯&#xff0c;本文将为大家推荐五款具备骨灰级硬核实力的护…

Mac添加和关闭开机应用

文章目录 mac添加和关闭开机应用添加开机应用删除/查看 mac添加和关闭开机应用 添加开机应用 删除/查看 打开&#xff1a;系统设置–》通用–》登录项–》查看登录时打开列表 选中打开项目&#xff0c;点击“-”符号

迁移Anaconda环境,无需重复安装

换电脑后&#xff0c;想要直接迁移Anaconda环境&#xff0c;直接复制Anaconda文件后&#xff0c;再做以下两步即可&#xff1a; 1.添加环境变量 2.添加Anaconda prompt winR输入cmd进入命令行 进入conda安装的目录&#xff0c;运行&#xff1a; python .\Lib\_nsis.py mkmenu…

【学习】软件测试行业有哪些从业方向

从事任何一个行业&#xff0c;不论想入行的新人还是已经在职的从业人员&#xff0c;一定要系统化的掌握自身的学习路线和发展方向&#xff0c;随时对自身的优劣点掌握清楚。尤其是对于软件测试这个岗位。测试职业所涉及的技能范围比较广&#xff0c;测试流程、测试计划、缺陷管…

MySQL中的数据备份

1. 逻辑备份 备份的是建表、建库、插入等操作所执行SQL语句&#xff0c;适用于中小型数据库&#xff0c;效率相对较低。 本质&#xff1a;导出的是SQL语句文件 优点&#xff1a;不论是什么存储引擎&#xff0c;都可以用mysqldump备成SQL语句 缺点&#xff1a;速度较慢&…

【第三方登录】Twitter

创建应用 APPID 和 相关回调配置 重新设置api key 和 api secret 设置回调和网址 还有 APP的类型 拿到ClientID 和 Client Secret 源码实现 获取Twitter 的登录地址 public function twitterUrl() {global $db,$request,$comId;require "inc/twitter_client/twitte…

【C语言】 scanf输入函数

文章目录 C语言中的输入函数&#xff1a;scanf详解与应用基本语法处理分隔符自动处理空白字符使用非空白字符作为分隔符 检查scanf的返回值灵活处理多个输入项C语言中的输入函数小知识点总结结语 C语言中的输入函数&#xff1a;scanf详解与应用 C语言提供了一种强大的输入函数—…

【APP_TYC】数据采集案例天眼APP查_抓包分析_①

一杯敬朝阳 一杯敬月光 唤醒我的向往 温柔了寒窗 于是可以不回头地逆风飞翔 不怕心头有雨 眼底有霜 一杯敬故乡 一杯敬远方 守着我的善良 催着我成长 所以南北的路从此不再漫长 灵魂不再无处安放 &#x1f3b5; 毛不易《消愁》 准备工作 在开始之前&…

护眼台灯什么牌子好一点?五款护眼台灯实力强强PK

在当下快节奏的生活中&#xff0c;一盏优质的护眼台灯对于保护视力、提升学习和工作效率至关重要。然而&#xff0c;市面上的护眼台灯品牌众多&#xff0c;让人眼花缭乱。究竟哪个品牌的护眼台灯更好呢&#xff1f;本文将为大家介绍五款实力强劲的护眼台灯&#xff0c;从品牌实…

AI电影剪辑-巧用字幕批量剪辑电影短视频(一)

引言 实现AI电影剪辑是一项非常复杂和困难的任务&#xff0c;它涉及到多个领域和技术的交叉和融合&#xff0c;比如计算机视觉&#xff0c;自然语言处理&#xff0c;多媒体处理&#xff0c;机器学习&#xff0c;深度学习等。 目前&#xff0c;AI电影剪辑还处于一个初级的阶段…

ZC706+AD9361 运行 open WiFi

先到github上下载img&#xff0c;网页链接如下&#xff1a; https://github.com/open-sdr/openwifi?tabreadme-ov-file 用win32 Disk lmager 把文件写入到SD卡中&#xff0c;这一步操作会把SD卡重新清空&#xff0c;注意保存数据。这个软件我会放在最后的网盘链接中 打开linu…

【详细讲解如果Tomcat启动后闪退的解决方法】

&#x1f308;个人主页:程序员不想敲代码啊&#x1f308; &#x1f3c6;CSDN优质创作者&#xff0c;CSDN实力新星&#xff0c;CSDN博客专家&#x1f3c6; &#x1f44d;点赞⭐评论⭐收藏 &#x1f91d;希望本文对您有所裨益&#xff0c;如有不足之处&#xff0c;欢迎在评论区提…

Electron+Vue构建项目时出错:Error: Exit code: ENOENT. spawn /usr/bin/python ENOENT

问题&#xff1a;ElectronVue构建项目时出错&#xff1a;Error: Exit code: ENOENT. spawn /usr/bin/python ENOENT URL:https://github.com/nklayman/vue-cli-plugin-electron-builder/issues/1701 一&#xff0c;构建时node版本要低 同时构建命令如下&#xff1a; "el…

【蓝桥杯省赛真题34】python积木搭建 中小学青少年组蓝桥杯比赛 算法思维python编程省赛真题解析

python积木搭建 第十三届蓝桥杯青少年组python比赛省赛真题 一、题目要求 &#xff08;注&#xff1a;input&#xff08;&#xff09;输入函数的括号中不允许添加任何信息&#xff09; 1、编程实现 小蓝和小青在玩积木搭建游戏&#xff0c;具体玩法如下: 小蓝报一个数字N&…

【函数修改的重要问题】想要增加C++函数返回值,选择结构体?OR 额外参数?

作为一个程序员&#xff0c;我们经常会遇到这样的情况&#xff1a; 别人写的C项目&#xff0c;需要我们来进行 ”修改&#xff0c;或者增加功能“。 举个例子 我们需要对于一个已有的C函数&#xff0c;增加它的返回值信息&#xff0c;通常有两条路可走&#xff1a; 用结构体…

ROS2从入门到精通0-4:ROS2核心架构与常用指令大全

目录 0 专栏介绍1 ROS2核心架构1.1 工作空间1.2 功能包 2 ROS2常用指令2.1 功能包相关2.2 节点运行相关2.3 话题相关2.4 参数相关2.4 录制包、播放包相关2.5 服务相关2.6 动作相关2.7 生命周期相关 0 专栏介绍 本专栏旨在通过对ROS2的系统学习&#xff0c;掌握ROS2底层基本分布…

农村分散式生活污水分质处理及循环利用技术指南

标准已完成意见征集&#xff1a; 本文件给出了农村分散式生活污水分质处理及循环利用的总则、污水收集、污水分质处理、资源化利用、利用模式、运维管理等的指导。 本文件适用于农村分散式生活污水分质处理及循环利用的设施新建、扩建和改建工程的设计、施工与运维。 注:本文件…

AndroidStudio中一些实用插件

1.RainbowBrackets插件为圆括号、方括号和花括号内的代码添加了漂亮的彩虹色 2.CodeGlance类似于Sublime或Xcode&#xff0c;CodeGlance插件在编辑器中嵌入了代码迷你图。滚动条也有所增大。在CodeGlance预览文件的代码模式下&#xff0c;用户可以快速导航到目标处。 3.ADBWifi…

【数据分析面试】2.连续访问最长天数用户(SQL)

题目 给定一个包含事件日志的表格&#xff0c;找出连续访问平台时间最长的前五个用户。 注意&#xff1a;连续访问是指用户在连续的几天内每天至少访问一次平台。 示例&#xff1a; 输入&#xff1a; events 表 ColumnTypeuser_idINTEGERcreated_atDATETIMEurlVARCHAR 输…