JWT

已发布 2017-12-17 11:44:20

Structure

JWT = JSON Web Token

  • Session
    • cookie + session storage
    • disadvantage
      • storage cost on server
      • CSRF
      • hard to be scalable
  • JWT

    • goals
      • authentication
      • information exchange
    • structure: <header>.<payload>.<signature>

      • header

        • contains
          • type: “JWT”
          • algorithms: “HMAC SHA256”
            • allowed methods
              • hmac
              • RSA
        • exmaple
        {
          "alg": "HS256",
          "typ": "JWT"
        }
        # this JSON is Base64Url encoded to form the first part of the JWT
        
      • payload: 对称加密

        • three types
          • statement registered in standard
            • iss: jwt签发者
            • sub: jwt所面向的用户
            • aud: 接收jwt的一方
            • exp: jwt的过期时间,这个过期时间必须要大于签发时间
            • nbf: 定义在什么时间之前,该jwt都是不可用的.
            • iat: jwt的签发时间
            • jti: jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击。
          • public statement: 可以放置任何信息
          • private statement: 可以放置双方所共同定义的信息
      • signature

        • HMACSHA256("<base64UrlEncode(header)>.<base64UrlEncode(payload)>", "<secret>")
        • NOTE: <secret> is only known by the server

Comparison

  • Simple Web Tokens (SWT)
  • Security Assertion Markup Language Tokens (SAML)

How to use

fetch('api/user/1', {
  headers: {
    'Authorization': 'Bearer ' + token
  }
})

References

comments powered by Disqus