Jwt简介

news2024/11/15 13:59:29

目录

    • 前言
    • What is JSON Web Token?
    • When should you use JSON Web Tokens?
    • What is the JSON Web Token structure?
      • Header
      • Payload
      • Signature
      • Putting all together
    • How do JSON Web Tokens work?
    • Why should we use JSON Web Tokens?

前言

    技术文档这种东西,我一直认为是啃最原始的比较好,如果你去查阅别人翻译过的东西,那么势必会增加一层他人对原文的理解。像当年苦背面试题的时候,读了一篇关于内存模型的,我傻傻分不清jvm内存模型和java内存模型,一直认为这是一个东西,概念混淆,导致面试的时候闹了不少笑话。
    因此,现在在学习新的技术时,我会优先看原始文档。所以,本篇内容,我仅对原文做简单解释,原文地址见文尾。原文是英文文档,但是通俗易懂,请大家自行理解。

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

这段介绍了Jwt,包括他常用的加密算法,是通过json进行信息传输。

When should you use JSON Web Tokens?

Here are some scenarios where JSON Web Tokens are useful:

  • Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
  • Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with.

这段是对你何时需要使用Jwt给出了建议,首先是授权认证的时候,其次在信息交换的时候也同样适用,并且阐明了原因。

What is the JSON Web Token structure?

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

Therefore, a JWT typically looks like the following.

xxxxx.yyyyy.zzzzz

Let’s break down the different parts.

Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

For example:

{
  "alg": "HS256",
  "typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.

  • Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.

Notice that the claim names are only three characters long as JWT is meant to be compact.

  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

  • Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

An example payload could be:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

The payload is then Base64Url encoded to form the second part of the JSON Web Token.

Do note that for signed tokens this information, though protected against tampering, is readable by anyone. Do not put secret information in the payload or header elements of a JWT unless it is encrypted.

Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

The signature is used to verify the message wasn’t changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

Putting all together

The output is three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.

The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret. Encoded JWT

If you want to play with JWT and put these concepts into practice, you can use jwt.io Debugger to decode, verify, and generate JWTs.

这段在说Jwt的组成部分,以及每部分作者定义的具体用途,并且给出了Jwt加密后的实例。对签名加密部分也做了相应的解释和说明。

How do JSON Web Tokens work?

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned. Since tokens are credentials, great care must be taken to prevent security issues. In general, you should not keep tokens longer than required.

You also should not store sensitive session data in browser storage due to lack of security.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:

Authorization: Bearer <token>

This can be, in certain cases, a stateless authorization mechanism. The server’s protected routes will check for a valid JWT in the Authorization header, and if it’s present, the user will be allowed to access protected resources. If the JWT contains the necessary data, the need to query the database for certain operations may be reduced, though this may not always be the case.

Note that if you send JWT tokens through HTTP headers, you should try to prevent them from getting too big. Some servers don’t accept more than 8 KB in headers. If you are trying to embed too much information in a JWT token, like by including all the user’s permissions, you may need an alternative solution, like Auth0 Fine-Grained Authorization.

If the token is sent in the Authorization header, Cross-Origin Resource Sharing (CORS) won’t be an issue as it doesn’t use cookies.

The following diagram shows how a JWT is obtained and used to access APIs or resources:
在这里插入图片描述

  1. The application or client requests authorization to the authorization server. This is performed through one of the different authorization flows. For example, a typical OpenID Connect compliant web application will go through the /oauth/authorize endpoint using the authorization code flow.
  2. When the authorization is granted, the authorization server returns an access token to the application.
  3. The application uses the access token to access a protected resource (like an API).

Do note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it. This means you should not put secret information within the token.

这几段文字对Jwt常规使用方式做了简要的说明,结合图片来看,可以看出客户端进行登录与被授权,当拿到access_token之后就可以去应用服务请求相应的资源。

Why should we use JSON Web Tokens?

Let’s talk about the benefits of JSON Web Tokens (JWT) when compared to Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML).

As JSON is less verbose than XML, when it is encoded its size is also smaller, making JWT more compact than SAML. This makes JWT a good choice to be passed in HTML and HTTP environments.

Security-wise, SWT can only be symmetrically signed by a shared secret using the HMAC algorithm. However, JWT and SAML tokens can use a public/private key pair in the form of a X.509 certificate for signing. Signing XML with XML Digital Signature without introducing obscure security holes is very difficult when compared to the simplicity of signing JSON.

JSON parsers are common in most programming languages because they map directly to objects. Conversely, XML doesn’t have a natural document-to-object mapping. This makes it easier to work with JWT than SAML assertions.

Regarding usage, JWT is used at Internet scale. This highlights the ease of client-side processing of the JSON Web token on multiple platforms, especially mobile.

Comparing the length of an encoded JWT and an encoded SAML Comparison of the length of an encoded JWT and an encoded SAML

If you want to read more about JSON Web Tokens and even start using them to perform authentication in your own applications, browse to the JSON Web Token landing page at Auth0.

这里是作者简明扼要的阐述了为什么要选择Jwt而不是xml或者其他技术,从安全性,传输内容长度以及跨语言等多方面进行了说明。

Jwt官方介绍传送门

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/400522.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

数枝营销与纷享销客达成战略合作,共同推动B2B企业营与销一体化

近日&#xff0c;营销咨询与数字化服务商数枝营销同国内知名SaaS CRM厂商纷享销客举行了战略合作签约仪式&#xff0c;双方就促进B2B企业的“营与销协同增长”将展开全面合作。纷享销客创始人兼CEO罗旭与数枝营销创始人黄海钧 另据工商信息显示&#xff0c;数枝营销&#xff08…

webshell管理工具-菜刀的管理操作

什么是webshell Webshell是一种运行在Web服务器上的脚本程序&#xff0c;通常由黑客使用来绕过服务器安全措施和获取对受攻击服务器的控制权。Webshell通常是通过利用Web应用程序中的漏洞或者弱密码等安全问题而被植入到服务器上的。 一旦Webshell被植入到服务器上&#xff0…

基于应用理解的协议栈优化

作者&#xff1a;余兵 移动互联网时代&#xff0c;不同的应用追求的产品体验差异性很大。 应用商店和图片等下载类型业务追求速度、越快越好&#xff0c;短视频关注起播、拖拽响应速度和观看过程卡不卡&#xff0c;直播追求画质清晰、高码率和直播过程流畅&#xff1b;而游戏则…

苹果iPhone屏下Touch ID技术专利获批,苹果Find My技术大火

根据美国商标和专利局&#xff08;USPTO&#xff09;公示的最新清单&#xff0c;苹果近日获得了屏下 Touch ID 的新技术专利。专利中重点提及了“短波红外线”技术&#xff0c;相关元件位于屏幕下方或者集成到屏幕内。 该专利主要介绍了应用于屏幕 Touch ID 的光学成像系统&…

自动化工具selenium(一)

一)什么是自动化&#xff1f;为什么要做自动化&#xff1f; 自动化测试可以代替一部分手工测试&#xff0c;不能够完全代替手工测试 1)自动化测试相比于手工测试来说人力的投入和时间的投入是非常非常少的&#xff0c;自动化测试能够提高测试效率 2)在回归测试里面&#xff0c;…

被隐藏的过程——预处理

文章目录0. 前言1. 程序的翻译环境和执行环境2. 被隐藏的过程2.1 翻译环境2.2 编译3.2.1 预编译3.2.2 编译2.2.3 汇编2.3 链接2.4 运行环境3. 预处理3.1 预定义符号3.2 #define3.2.1 #define定义标识符3.2.2 #define定义宏3.2.3 #define替换规则3.2.4 #和##3.2.5 带副作用的宏参…

API Gateway vs Load Balancer:选择适合你的网络流量管理组件

本文从对比了 API Gateway 和 Load Balancer 的功能区别&#xff0c;帮助读者更好地了解他们在系统架构中扮演的角色。 作者陈泵&#xff0c;API7.ai 技术工程师。 原文链接 由于互联网技术的发展&#xff0c;网络数据的请求数节节攀升&#xff0c;这使得服务器承受的压力越来…

vue-virtual-scroll-list虚拟列表

当DOM中渲染的列表数据过多时&#xff0c;页面会非常卡顿&#xff0c;非常占用浏览器内存。可以使用虚拟列表来解决这个问题&#xff0c;即使有成百上千条数据&#xff0c;页面DOM元素始终控制在指定数量。 一、参考文档 https://www.npmjs.com/package/vue-virtual-scroll-li…

Web前端学习:章三 -- JavaScript预热(三)

六九&#xff1a;函数的变量提升 函数的变量提升没有var高&#xff0c;var是最高的。 先提var&#xff0c;再提函数 解析&#xff1a; 1、4行打印之前没有定义变量&#xff0c;预解析触发变量提升 2、先提var&#xff0c;再提函数。所以先把var提升到最上面&#xff0c;然后提…

【蓝牙系列】蓝牙5.4到底更新了什么(2)

【蓝牙系列】蓝牙5.4到底更新了什么&#xff08;2&#xff09; 一、 背景 上一篇文章讲了蓝牙5.4的PAwR特征&#xff0c;非常适合应用在电子货架标签&#xff08;ESL&#xff09;领域&#xff0c; 但是实际应用场景中看&#xff0c;只有PAwR特性是不够的&#xff0c;如何保证广…

【latex】总结最近使用到的画图、表格及公式操作

前言 推荐使用overleaf写latex文章&#xff0c;内含很多会议/期刊的模板&#xff0c;可以直接套用。 https://www.overleaf.com下文都是在写论文过程中比较头疼的部分&#xff0c;有人建议我写完文章&#xff0c;最后再调整格式。但图片过大看起来实在是不适~ 插入图片 \beg…

5GHz 你得先认识DFS

想用Wi-Fi 5GHz&#xff1f;你得先认识DFS&#xff01; 添加链接描述 无线网络2.4 GHz的频段&#xff0c;因为频道过少、使用技术过多太过拥挤&#xff0c;频宽性能不佳早已不是新闻。在5 GHz的频段&#xff0c;频道数大幅超过2.4 GHz&#xff0c;但其中也有一大部份是DFS频道…

【MySQL高级篇】第04章_逻辑架构

第04章_逻辑架构 1. 逻辑架构剖析 1.1 服务器处理客户端请求 首先MySQL是典型的C/S架构&#xff0c;即Clinet/Server 架构&#xff0c;服务端程序使用的mysqld。 不论客户端进程和服务器进程是采用哪种方式进行通信&#xff0c;最后实现的效果是&#xff1a;客户端进程向服…

线程池的原理

1. 为什么要用线程池降低资源消耗。通过重复利用已创建的线程降低线程创建、销毁线程造成的消耗。提高响应速度。当任务到达时&#xff0c;任务可以不需要等到线程创建就能立即执行。提高线程的可管理性。线程是稀缺资源&#xff0c;如果无限制的创建&#xff0c;不仅会消耗系统…

Javaweb之会话跟踪技术

1.会话跟踪技术的概述 会话跟踪技术就是处理一次会话中多次请求间数据共享问题 会话:用户打开浏览器&#xff0c;访问web服务器的资源&#xff0c;会话建立&#xff0c;直到有一方断开连接&#xff0c;会话结束。在一次会话中可以包含多次请求和响应。 从浏览器发出请求到服务…

vue 行内样式 px 单位 转换为 vw

vue2 安装 插件 npm i style-vw-loader --save vue.config.js 文件配置 module.exports {chainWebpack: (config) > {config.module.rule(vue).test(/\.vue$/).use(style-vw-loader).loader(style-vw-loader).options({unitToConvert: "px",//需要转换的单位vi…

讲透前端工程开发工具发展与使用

前端⼯程化的发展及⼯具详解 什么是⼯程化&#xff1f;什么是前端⼯程化&#xff1f; 随着发展的逐步发展&#xff0c;作为⼯程师除了需要关注需要写的⻚⾯&#xff0c;样式和逻辑之外&#xff0c;还需要⾯对⽇益复杂的系统性问题&#xff0c;⽐如模块化⽂件的组织、ES6 JS ⽂…

为了满足国内市场快速发展的业务需求,理想汽车选择亚马逊云科技

理想汽车是一家用户驱动的汽车科技企业&#xff0c;坚持核心技术全栈自研&#xff0c;理想ONE是其首个单车突破20万辆的智能电动车产品。借助亚马逊云科技领先技术和多项托管服务&#xff0c;理想汽车迅速构建起安全稳定、技术架构先进的车联网云计算处理平台&#xff0c;服务于…

R语言基础(二):常用函数

接前文&#xff1a; R语言基础(一)&#xff1a;注释、变量 3.常用函数 函数就是一些已经编写好的功能&#xff0c;我们拿过来直接使用就可以了。 3.1 查看变量ls() 也许你清空了控制台&#xff0c;看不到之前的变量。但是它一直存在于系统中。 我们可以使用ls()函数查看已经定…

事件响应必备:DNS攻击与防御矩阵

攻击者采用了哪些DNS攻击技术&#xff0c;哪些组织可以帮助事件响应团队检测、缓解和预防这些技术&#xff1f;FIRST近日发布的DNS攻击与防御矩阵提供了答案。 DNS作为互联网基础架构的一项核心服务&#xff0c;安全问题严峻&#xff0c;各种攻击层出不穷。F5发布的数据显示&a…