What is JWT
Json web token (JWT), is an open standard based on JSON ((RFC 7519) implemented to deliver claims between network application environments. The token is designed to be compact and secure, especially suitable for single sign on (SSO) scenarios of distributed sites. JWT’s declaration is generally used to transfer the authenticated user‘s identity information between the identity provider and the service provider, so as to obtain resources from the resource server. It can also add some additional declaration information necessary for other business logic. The token can also be used for authentication directly or encrypted.
Traditional session authentication
HTTP protocol itself is a stateless protocol, which means that if the user provides the user name and password to our application for user authentication, then the next request, the user will have to carry out user authentication again, because according to the HTTP protocol, we can not know which user sent the request, so in order to let our application identify which user For a user’s request, we can only store a copy of the user’s login information in the server. This login information will be passed to the browser when responding, telling it to save it as a cookie, so that it can be sent to our application next time. In this way, our application can identify which user the request comes from. This is the traditional session based authentication.
But this kind of session based authentication makes it difficult to extend the application itself. With the increase of different client users, the independent server can not carry more users. At this time, the problem of session based authentication application will be exposed
Authentication mechanism based on token
The token based authentication mechanism is also stateless, similar to the HTTP protocol. It does not need to retain the user’s authentication information or session information on the server. This means that the application based on token authentication mechanism does not need to consider which server the user logs in, which provides convenience for application expansion.
The process is as follows:
The user uses the user name and password to request the server
The server authenticates the user's information
The server sends a token to the user through authentication
The client stores the token and attaches the token value to each request
The server verifies the token value and returns the data
This token must be passed to the server at each request, and it should be stored in the request header
Composition of JWT
The first part is called the head
The second part is called load
The third part is visa