JWT certification is enough to read this article

Time:2021-9-26

Token based authentication

You have generally learned about session and cookie authentication through the previous article. Session authentication requires the server to do a lot of work to ensure the consistency of session information and the storage of session. Therefore, modern web applications prefer the client direction in authentication solutions. Cookie authentication is based on the client mode, but the disadvantages of cookies are also obvious, What shortcomings can jump to the last article. Is there a compromise? yes , we have

To save the authentication information on the client, the key point is secure authentication. If the security problem of the authentication information can be solved, the authentication information can be saved on the client, and the server has no authentication state at all. In this way, it is much more convenient for the server to expand. As for information security solutions, the signature mechanism is now a common practice. For example, the verification method of wechat public interface is based on the signature mechanism.

Signature is a digital string that can only be generated by the sender of information and can not be forged by others. This digital string is also an effective proof of the authenticity of the information sent by the sender of information.

After the user successfully logs in the system and successfully verifies that it is valid, the server will use some mechanism to generate a token string. This token can contain a lot of information, such as source IP, expiration time, user information, etc., and send this string to the client. The client will carry this token in each subsequent request. In fact, the carrying method is very free, Either cookie or other methods are OK, but they must be negotiated with the server. Of course, I don’t recommend cookies here. When the server receives the request, it takes out the token for verification (you can verify the source IP, expiration time and other information). If it is legal, it is allowed to operate.

Token based authentication is also an authentication method commonly used in modern Internet. What are its advantages?

  1. It supports cross domain access, and cookies do not allow domain access, which does not exist for the token mechanism, provided that the transmitted user authentication information is transmitted through the HTTP header
  2. Stateless: the token mechanism does not need to store session information at the server, because the token itself contains the information of all logged in users, and only needs to store status information in the client’s cookie or local media
  3. Decoupling does not need to be bound to a specific authentication scheme. Tokens can be generated anywhere, as long as you can call them when your API is called
  4. Wider applicability: as long as it is a client that supports HTTP protocol, token authentication can be used.
  5. The server only needs to verify the security of the token and does not need to obtain the login user information, because the user’s login information is already in the token information.
  6. Based on Standardization: your API can adopt the standardized JSON web token (JWT). This standard already exists in multiple back-end libraries (. Net, ruby, Java, python, PHP) and supported by multiple companies (such as firebase, Google, Microsoft)

What are the disadvantages of token based authentication?

  1. The amount of data transmitted through the network increases: because a large amount of user and security related information is stored in the token, it is much larger than the simple cookie information. In the transmission process, it needs to consume more traffic and occupy more bandwidth,
  2. Like all client authentication methods, it is difficult to control the logoff of token on the server, and it is also difficult to solve the hijacking problem of the client.
  3. Because the token information adds an operation to verify the data integrity on the server, it increases the CPU overhead compared with the session authentication method.

However, on the whole, token based authentication has great advantages over session and cookie. In the known token authentication, JWT is an excellent solution

jwt

JSON web token (JWT) is an open standard (RFC 7519), which defines a compact, self-contained way to securely transmit information between parties as JSON objects. This information can be verified and trusted because it is digitally signed.

A JWT is actually a string, which consists of three parts: header, payload and signature.

head

The header typically consists of two parts: the type of token (“JWT”) and the algorithm name (such as HMAC sha256 or RSA, etc.).

{
  "alg": "HS256",
  "typ": "JWT"
}
Payload

The payload part is also a JSON object, which is used to store the actual data to be transferred. JWT specifies 7 official fields for selection.

ISS (issuer): issuer
Exp (expiration time): expiration time
Sub (subject): subject
Aud (audience): audience
NBF (not before): effective time
IAT (issued at): issuing time
JTI (JWT ID): No

In addition to the above fields, you can add any field you want. Here’s a reminder. Due to the JWT standard, information is not encrypted, so some sensitive information should not be added to JSON

{
    "Name": "dishes",
    "Age":18
}
Signature

In order to get the signature part, you must have an encoded header, an encoded payload, and a secret key (the secret key is only known to the server). The signature algorithm is the one specified in the header, and then sign them.

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

After the signature is calculated, the header, payload and signature are combined into a string. Each part is separated by a dot (.) and can be returned to the user. It should be reminded that Base64 is an encoding method, not an encryption method.

Write at the end

The general process of token based authentication is as follows:

  1. The client submits the request with the user’s login credentials (generally user name and password)
  2. The server receives the login request and verifies the correctness of the certificate. If it is correct, the token information is generated according to the protocol, signed and returned to the client
  3. When the client receives the token information, it can save it in a cookie or other places. In the future, it will carry the token information every time it requests
  4. The service server receives the request and verifies the correctness of the token. If it is correct, proceed to the next step

JWT certification is enough to read this article

Here again, whether it is token authentication, cookie authentication or session authentication, once others get the client’s identity, they can still forge the operation. Therefore, when using any authentication method, please consider adding the source IP or white list and expiration time. In addition, HTTPS must be used if conditions permit.

More wonderful articles

JWT certification is enough to read this article

Recommended Today

Supervisor

Supervisor [note] Supervisor – H view supervisor command help Supervisorctl – H view supervisorctl command help Supervisorctl help view the action command of supervisorctl Supervisorctl help any action to view the use of this action 1. Introduction Supervisor is a process control system. Generally speaking, it can monitor your process. If the process exits abnormally, […]