Understanding JSON web token (JWT)


What is JWT

Json web token (JWT), is an open standard based on JSON ((RFC 7519) implemented to deliver claims between network application environments. The token is designed to be compact and secure, especially suitable for single sign on (SSO) scenarios of distributed sites. JWT’s declaration is generally used to transfer the authenticated user‘s identity information between the identity provider and the service provider, so as to obtain resources from the resource server. It can also add some additional declaration information necessary for other business logic. The token can also be used for authentication directly or encrypted.

Traditional session authentication

HTTP protocol itself is a stateless protocol, which means that if the user provides the user name and password to our application for user authentication, then the next request, the user will have to carry out user authentication again, because according to the HTTP protocol, we can not know which user sent the request, so in order to let our application identify which user For a user’s request, we can only store a copy of the user’s login information in the server. This login information will be passed to the browser when responding, telling it to save it as a cookie, so that it can be sent to our application next time. In this way, our application can identify which user the request comes from. This is the traditional session based authentication.

But this kind of session based authentication makes it difficult to extend the application itself. With the increase of different client users, the independent server can not carry more users. At this time, the problem of session based authentication application will be exposed

Authentication mechanism based on token

The token based authentication mechanism is also stateless, similar to the HTTP protocol. It does not need to retain the user’s authentication information or session information on the server. This means that the application based on token authentication mechanism does not need to consider which server the user logs in, which provides convenience for application expansion.

The process is as follows:

  • The user uses the user name and password to request the server
  • The server authenticates the user's information
  • The server sends a token to the user through authentication
  • The client stores the token and attaches the token value to each request
  • The server verifies the token value and returns the data
  • This token must be passed to the server at each request, and it should be stored in the request header

Composition of JWT

  • The first part is called the head
  • The second part is called load
  • The third part is visa

Recommended Today

JS function

1. Ordinary function Grammar: Function function name (){ Statement block } 2. Functions with parameters Grammar: Function function name (parameter list){ Statement block } 3. Function with return value Grammar: Function function name (parameter list){ Statement block; Return value; } Allow a variable to accept the return value after calling the function Var variable name […]