What is JWT

Time:2020-11-20

JSON WEB TOKEN

An open standard based on JSON is designed to be compact and secure for single sign on of distributed sites for the purpose of transmitting statements between network application environments

Traditional session authentication

Session based authentication is difficult to extend the application itself

  1. The session session is stored in memory, and the server overhead increases significantly with the increase of authenticated users
  2. The extensibility server makes authentication records, and the next request of the user must be on this server, which limits the expansion ability
  3. CSRF authentication based on cookie will be attacked by forgery
Authentication mechanism based on token

Stateless facilitates extension

  1. The user logs in with a user name and password
  2. The server sends the token to the user
  3. The client stores the token and appends the token to each request
  4. The server verifies the token and returns the data
JWT composition
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
header
{
'typ':"JWT",
"alg":"HS256"
}

Base 64 encryption

playload

Store valid information (base64 encryption)

  • Declaration registered in the standard
  • Public statement
  • Private statement
**ISS * *: JWT issuer
  **Sub * *: the users JWT is targeting
   **Aud * *: the party receiving JWT
   **Exp * *: the expiration time of JWT, which must be greater than the issuing time
   **NBF * *: defines when the JWT is unavailable
  **IAT * *: the issuing time of JWT
  **JTI * *: the unique identity of JWT, which is mainly used as a one-time token to avoid replay attacks.
{
"sub":"1234567",
"name":"johen",
"admin":true
}
signature

The signature part Base64 (header) + “. + Base64 (payload) is encrypted in ha256 with salt
Salt is preserved on the server side

The advantage server only stores secret