JWT认证原理

简介:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

是一种小巧的、自包含的JSON对象,用于两个端系统之间的安全传输,它是一种数字标签,它可以使用了一种严格的算法进行签名,或者使用公钥和私钥的形式进行签名

JWT的使用场景

  • Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.↳

  • Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

1、授权: 比如在web应用当中我们通常需要使用到授权,来给授权用户进行访问相应的路由、服务和资源

2、信息的交换:因为JWT是被签名的,所以能够非常安全的在端系统之间传输消息,通过JWT你可以确认发送者和内容是否被篡改

JWT的结构

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:↳

  • Header

  • Payload

  • Signature

Therefore, a JWT typically looks like the following.

xxxxx.yyyyy.zzzzz

Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.↳

For example:

{"alg": "HS256","typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.↳

  • Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.

  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

  • Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

An example payload could be:↳

{"sub": "1234567890","name": "John Doe","admin": true
}

The payload is then Base64Url encoded to form the second part of the JSON Web Token.

Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.↳

For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

HMACSHA256(base64UrlEncode(header) + "." +base64UrlEncode(payload),secret)

The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

Putting all together

The output is three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.

The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret.

Encoded JWT

JWT是如何工作的

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned. Since tokens are credentials, great care must be taken to prevent security issues. In general, you should not keep tokens longer than required.

一般就是用户成功获取到资格后,服务器需要返回一个JWT,用户进行保存,当时注意JWT的保存时间,需要在特定时间进行删除,若用户需要再次获取,经过上一个步骤

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:↳

Authorization: Bearer <token>

当我们请求受保护的路由和资源的时候需要再请求中携带JWT,典型的就是在请求头中设置Authorization字段,如上

This can be, in certain cases, a stateless authorization mechanism. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources. If the JWT contains the necessary data, the need to query the database for certain operations may be reduced, though this may not always be the case.

Note that if you send JWT tokens through HTTP headers, you should try to prevent them from getting too big. Some servers don't accept more than 8 KB in headers. If you are trying to embed too much information in a JWT token, like by including all the user's permissions, you may need an alternative solution, like Auth0 Fine-Grained Authorization.

如果你携带了JWT,服务器的保护路由将会检查你头部的Authorization是否携带了一个真确的JWT,如果有就会放行,如果你JWT包括了一些必要的数据,比如userid 或者 username 对于某些操作,你就可以不需要去进行数据库的查询了,当是不能够让Http请求的头部较大,大部分的服务器接收的请求头不能操作8KB

If the token is sent in the Authorization header, Cross-Origin Resource Sharing (CORS) won't be an issue as it doesn't use cookies.

此处它指出,JWT并不需要使用cookies,所以能解决跨域问题,更适用于前后端分离的项目当中

The following diagram shows how a JWT is obtained and used to access APIs or resources:

How does a JSON Web Token work

  1. The application or client requests authorization to the authorization server. This is performed through one of the different authorization flows. For example, a typical OpenID Connect compliant web application will go through the /oauth/authorize endpoint using the authorization code flow.

  2. When the authorization is granted, the authorization server returns an access token to the application.

  3. The application uses the access token to access a protected resource (like an API).

Do note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it. This means you should not put secret information within the token.

JWT官网

我之前使用Node.js去实现过,后续会将实现代码进行一个补充

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/775981.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

【信号处理】基于DGGAN的单通道脑电信号增强和情绪检测(tensorflow)

关于 情绪检测&#xff0c;是脑科学研究中的一个常见和热门的方向。在进行情绪检测的分类中&#xff0c;真实数据不足&#xff0c;经常导致情绪检测模型的性能不佳。因此&#xff0c;对数据进行增强&#xff0c;成为了一个提升下游任务的重要的手段。本项目通过DCGAN模型实现脑…

基于STC12C5A60S2系列1T 8051单片机的按键单击长按实现互不干扰增加减少数值应用

基于STC12C5A60S2系列1T 8051单片机的按键单击长按实现互不干扰增加减少数值应用 STC12C5A60S2系列1T 8051单片机管脚图STC12C5A60S2系列1T 8051单片机I/O口各种不同工作模式及配置STC12C5A60S2系列1T 8051单片机I/O口各种不同工作模式介绍基于STC12C5A60S2系列1T 8051单片机的…

iscsi网络协议(连接硬件设备)

iscsi概念 iscsi是一种互联网协议&#xff0c;用于将存储设备&#xff08;如硬盘驱动器或磁带驱动器&#xff09;通过网络连接到计算机。它是一种存储区域网络&#xff08;SAN&#xff09;技术&#xff0c;允许服务器通过网络连接到存储设备&#xff0c;就像它们是本地设备一样…

区块链技术与大数据结合的商业模式探索

hello宝子们...我们是艾斯视觉擅长ui设计和前端开发10年经验&#xff01;希望我的分享能帮助到您&#xff01;如需帮助可以评论关注私信我们一起探讨&#xff01;致敬感谢感恩&#xff01; 随着区块链技术和大数据技术的不断发展&#xff0c;两者的结合为企业带来了新的商业模式…

科东软件联手英特尔,用工业AI智能机器人赋能工业升级

AI浪潮已经冲击到各行各业中&#xff0c;它能够帮助人们提高思考和生产效率。在创作中&#xff0c;AI能够帮助人们释放创意&#xff0c;那在工业中&#xff0c;AI能够为产业带来什么呢&#xff1f; 科东软件是国内专注于操作系统开发的企业。当前&#xff0c;科东开发的Intewe…

机器学习——贝叶斯分类器(基础理论+编程)

目录 一、理论 1、初步引入 2、做简化 3、拉普拉斯修正 二、实战 1、计算P(c) 2、计算P(x|c) 3、实战结果 1、数据集展示 2、相关信息打印 一、理论 1、初步引入 在所有相关概率都已知的理想情形下&#xff0c;贝叶斯决策论考虑如何基于这些概率和误判损失来选择最…

Jenkins升级中的小问题

文章目录 使用固定版本安装根据jenkins页面下载war包升级jenkins重启jenkins报错问题解决 K8s部署过程中的一些小问题 ##### Jenkins版本小插曲 ​ 在Jenkins环境进行插件安装时全部清一色飘红&#xff0c;发现是因为Jenkins版本过低导致&#xff0c;报错的位置可以找到更新je…

巨控GRM560工业物联网的升级后的功能

巨控GRM560&#xff1a;工业自动化领域的革命者 标签:#工业自动化 #PLC #远程控制 #OPCUA #MQTT 随着工业4.0时代的到来&#xff0c;智能制造已经成为了发展的大势所趋。在这样的背景下&#xff0c;自动化控制系统的核心——可编程逻辑控制器&#xff08;PLC&#xff09;的作用…

shell脚本发布docker-nginx vue2 项目示例

docker、git、node.js安装略过。 使git pull或者git push不需要输入密码操作方法 nginx安装在docker容器里面&#xff0c;参见&#xff1a;https://blog.csdn.net/HSJ0170/article/details/128631155 姊妹篇&#xff08;宿主机nginx&#xff0c;非docker-nginx&#xff09;&am…

基于java+SpringBoot+Vue的数码论坛系统设计与实现

基于javaSpringBootVue的数码论坛系统设计与实现 开发语言: Java 数据库: MySQL技术: SpringBoot MyBatis工具: IDEA/Eclipse、Navicat、Maven 系统展示 前台展示 后台展示 系统简介 整体功能包含&#xff1a; 数码论坛系统是一个基于互联网的数码产品讨论和信息分享平台…

深度学习语义分割篇——DeepLabV2原理详解篇

&#x1f34a;作者简介&#xff1a;秃头小苏&#xff0c;致力于用最通俗的语言描述问题 &#x1f34a;专栏推荐&#xff1a;深度学习网络原理与实战 &#x1f34a;近期目标&#xff1a;写好专栏的每一篇文章 &#x1f34a;支持小苏&#xff1a;点赞&#x1f44d;&#x1f3fc;、…

小狐狸JSON-RPC:wallet_watchAsset(向钱包中新增资产代币)

wallet_watchAsset 请求用户在 MetaMask 中添加新的资产。返回一个布尔值&#xff0c;是否已成功添加。 var res await window.ethereum.request({ "method": "wallet_watchAsset","params": {"type": "ERC20","opti…

盘点库存怎么做账

库存的盘点是企业中非常重要的一步&#xff0c;也是仓管经常要做的工作&#xff0c;盘点通俗点说就是点一下实物与账面上的数据是否一至&#xff0c;来判断我们平时的货物管理是否与账面上的业务往来符合&#xff0c;盘点库存怎么做账&#xff1f; 按目前的情况来看&#xff0c…

【数据结构】Java中Map和Set详解(含二叉搜索树和哈希表)

目录 Map和Set详解 1.二叉搜索树 2.Map常见方法 3.Set常见方法 4.哈希表 Map和Set详解 Map&#xff1a;一种键值对结构&#xff0c;hashMap中键和值均可以为空&#xff0c;hashTable中则不可以存放null值 Set&#xff1a;一种集合&#xff0c;不能存放重复元素&#xff0c…

SpringBoot使用Jedis步骤

基础连接方式 引入依赖 <!-- Jedis --><dependency><groupId>redis.clients</groupId><artifactId>jedis</artifactId></dependency>创建Jedis对象&#xff0c;建立连接 操作字符串 方法名与Rdeis命令一致 操作Hash类型 释放资源 测…

【小米SU7实测发布】Python与人工智能的结合

小米在2023年底正式发布小米SU7,成为继华为之后第二个推出成品的的科技企业。不过此时小米需要做的不仅是打造一款产品力够高的车型,更是要以后发者的身份更快速地追上头部智驾车企。从昨天的发布会中可以发现,小米SU7采用双Orin-X芯片以及27个感知硬件组合,这套硬件组合在…

FFmpeg拉取RTSP流并定时生成10秒短视频

生成效果: 视频时长为10秒 生成格式为FLV 输出日志: 完整实现代码如下: 需要在Mac和终端先安装FFmpeg brew install ffmpeg CMake文件配置: cmake_minimum_required(VERSION 3.27) project(ffmpeg_open_stream) set(CMAKE_CXX_STANDARD 17)#头文件包目录 include_director…

ETL工具-nifi干货系列 第五讲 处理器GenerateFlowFile

1、今天我们一起来学习处理器GenerateFlowFile。这个处理器创建带有随机数据或自定义内容的 FlowFiles。GenerateFlowFile 对于负载测试、配置和模拟非常有用。从工具栏拖动处理器到画布&#xff0c;然后选择GenerateFlowFile即可。 2、点击add按钮或者双击 GenerateFlowFile可…

【蓝桥杯省赛真题34】python积木搭建 中小学青少年组蓝桥杯比赛 算法思维python编程省赛真题解析

python积木搭建 第十三届蓝桥杯青少年组python比赛省赛真题 一、题目要求 &#xff08;注&#xff1a;input&#xff08;&#xff09;输入函数的括号中不允许添加任何信息&#xff09; 1、编程实现 小蓝和小青在玩积木搭建游戏&#xff0c;具体玩法如下: 小蓝报一个数字N&…

vue多语言包i18n

1.安装 如果是vue2直接安装8.2.1版本&#xff0c;否则会出现版本不匹配的错误 npm install vue-i18n8.2.1 --save2.文件编辑 在src目录下创建文件 en.js export const h {system: "Background management system",loginOut:"LoginOut",LayoutSet:Layout …