Structure
JWT = JSON Web Token
- Session
- cookie + session storage
- disadvantage
- storage cost on server
- CSRF
- hard to be scalable
- JWT
- goals
- authentication
- information exchange
- structure:
<header>.<payload>.<signature>
-
header
- contains
- type: “JWT”
- algorithms: “HMAC SHA256”
- allowed methods
- hmac
- RSA
- allowed methods
- exmaple
{ "alg": "HS256", "typ": "JWT" } # this JSON is Base64Url encoded to form the first part of the JWT
- contains
-
payload: 对称加密
- three types
- statement registered in standard
- iss: jwt签发者
- sub: jwt所面向的用户
- aud: 接收jwt的一方
- exp: jwt的过期时间,这个过期时间必须要大于签发时间
- nbf: 定义在什么时间之前,该jwt都是不可用的.
- iat: jwt的签发时间
- jti: jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击。
- public statement: 可以放置任何信息
- private statement: 可以放置双方所共同定义的信息
- statement registered in standard
- three types
-
signature
HMACSHA256("<base64UrlEncode(header)>.<base64UrlEncode(payload)>", "<secret>")
- NOTE:
<secret>
is only known by the server
-
- goals
Comparison
- Simple Web Tokens (SWT)
- Security Assertion Markup Language Tokens (SAML)
How to use
fetch('api/user/1', {
headers: {
'Authorization': 'Bearer ' + token
}
})