JWT: To own me is to have power

Hi,这里是Sang Xiaoyu.上篇文章中,我们一起探讨了 OAuth The principle of the protocol and the authorization and authentication process,Let's discuss together this time jwt Tokens serve as the transport medium for authorization protocols.

OAuthThe protocol specifies authorization criteria for several participating roles,安全可控的授予第三方应用,第三方应用获取到用户授予的权限之后,与资源服务器进行交互.Then when interacting,A transmission medium is necessarily required,And need to carry user identity information,Enables identification and authentication between servers.This transmission medium is what we discuss this time jwt.

jwt,全称 Json Web Token,也就是日常说的 token 令牌.It is by means of digital signatures,以 json 对象为载体,Securely transmit information between different service terminals.

我们可以看到jwt的定义,它具有和 json 一样的特性,Very lightweight transfer method,and easy for humans to read and write,Conducive to machine parsing and generation.

It's like our national ID card,Once the relevant authority recognizes you as a legal citizen and will issue a certificate suitable for use in the country,With this certificate, you can enter and exit any place where you need to show the certificate.那么jwt也是一样,After the server authenticates you as a legitimate user,会生成一个json对象,发送给用户,例如：

{
    "姓名": "Sang Xiaoyu",
    "角色": "管理员",
    "到期时间": "2022年10月1日 10点10分"
}

之后,Every time the user needs to communicate with the server,carry identification informationjson.The server only needs to verify the identity information carried by the user.

当然,User information will not be carried in clear text,Otherwise, it is easy to be intercepted and tampered by criminals,Then the token becomes meaningless.Provided that any information with circulation is issued,Anti-counterfeiting signs are required.例如身份证,System Architect Certificate,RMB etc. have complex anti-counterfeiting information.

那 jwt 在生成的时候,Usually a signature is added to prevent tampering.形成一个标准的 jwt 格式如下：

▲图/ jwtParse the components

We can see the one on the left after Shengsheng's signature jwt The format is a very long string of characters,中间由（.）Divide into three parts.

After we see parsing on the right,是jwt的组成格式.

Header     头部
Payload    载荷
Signature  签名

above compositionjwt格式为：Header.Payload.Signature

Then we will discuss these three parts in turn.

Header头部

header部分是一个json对象,描述jwt的一些元数据,也就是属性信息.通常格式如下：

{
    "alg": "HS256",
    "typ": "JWT"

上面的代码中,algThe property represents the algorithm that takes the signature（algorithm）,默认是 hmac sha256,写成 hs256.There are usually several commonly used signature algorithmsrs256,hs256,base64.

rs256（带有sha-256的 rsa 签名）是An asymmetric algorithm,It uses the public key/私钥对：The identity provider has the private key used to generate the signature（秘密）密钥,而 jwt The consumer obtains the public key to verify the signature.Since it is the opposite of the private key,The public key does not need to be kept secure,Therefore, most identity providers can be easily acquired and used by consumers（Usually via metadata url）.

hs256（带有 sha-256 的hmac）Involves the combination of a hash function and a key,This key is shared between the two parties,Used to generate hashes used as signatures.Since the same key is used for both generating the signature and verifying the signature,Therefore care must be taken to ensure that the key is not compromised.

typ属性表示这个令牌（token）的类型（type）,jwt 令牌统一写为jwt.

最后,将上面的 json 对象使用 base64url 算法转成字符串.

Payload 载荷

payload 部分也是一个 json 对象,用来存放实际需要传递的数据,Usually contains some signed information.jwt 规定了7个官方字段,供选用.

iss (issuer): jwt签发者.

sub (subject): jwt所面向的用户.

aud (audience): 接收jwt的一方.

exp (expiration time): jwt的过期时间,这个过期时间必须要大于签发时间.

nbf (Not Before): 定义在什么时间之前,该jwt都是不可用的.

iat (Issued At): jwt的签发时间.

jti (JWT ID): jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击.

Of course, in addition to the seven officially defined,You can also define some private fields yourself.例如上图 jwt 格式中的 payload 格式,It is to customize some private fields.

{
  "sub": "1234567890",
  "name": "Sang Xiaoyu呀",
  "iat": 1516239022

注意,jwt 默认是不加密的,任何人都可以读到,So don't put private information in this section.所以,payload part to use base64url 算法转成字符串.

Signature 签名

signature Part is right beforeheader和payload的签名,防止数据篡改.

首先,需要指定一个256位的密钥（secret）.这个密钥只有服务器才知道,不能泄露给用户.然后,使用 header 里面指定的签名算法（默认是 hmac sha256）,按照下面的公式产生签名.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret

算出签名以后,把 header、payload、signature 三个部分拼成一个字符串,每个部分之间用点（.）分隔,就可以返回给用户.

Base64Url 算法

We also mentioned it several times in the article above,header和payload部分需要使用base64url算法.base64url算法跟base64算法基本类似,但也有一些不同.

jwt作为一个token令牌,Some usage scenarios may be usedurl,例如 https://jwt.io/?token=xxx.The encryption process will first meeturl的明文进行加密,其次在base64加密的基础上,会对urlSpecial characters are processed inside：=被省略、+替换成-,/替换成_ .这就是base64url加密算法.

JWT 使用

We're done talking jwt after the composition,Back to use.在身份验证中,When a client successfully logs in with identity credentials,将返回一个 Token 令牌.由于令牌是凭据,因此必须非常小心以防止出现安全问题.Tokens should generally not be held for longer than required.

虽然我们可以将Token存储在Cookie和localStorage当中,to send automatically.But there will be a lack of security,和跨域的问题.更好的做法是在authorization标头中使用bearer模式.标头的内容应如下所示：

Authorization: Bearer <token>

如果令牌在authorization标头中发送,则跨域资源共享 (CORS) 不会成为问题,因为它不使用 cookie.配合httpsTransmission can also greatly improve security.

▲图/ jwtEasy authorization process

JWT 特点

最后我们总结 jwt 的几个特点：

1.  jwt 默认是不加密,但也是可以加密的.生成原始 Token 以后,可以用密钥再加密一次.

2. jwt 不加密的情况下,不能将秘密数据写入 jwt .

3. jwt 不仅可以用于认证,也可以用于交换信息.有效使用 jwt ,可以降低服务器查询数据库的次数.

4. jwt 的最大缺点是,由于服务器不保存 session 状态,因此无法在使用过程中废止某个 token,或者更改 token 的权限.也就是说,一旦 jwt 签发了,在到期之前就会始终有效,除非服务器部署额外的逻辑.

5. jwt 本身包含了认证信息,一旦泄露,任何人都可以获得该令牌的所有权限.为了减少盗用,jwt 的有效期应该设置得比较短.对于一些比较重要的权限,使用时应该再次对用户进行认证.

6. 为了减少盗用,jwt 不应该使用 http 协议明码传输,要使用 https 协议传输.

We're done discussing it together jwt 相关知识.In the next article, we will demonstrate it in the form of code practice jwt generation and use,并且配合 oidc A standard authorization process.

 更多有趣内容,请多关注！