Home > Backend Development > PHP Problem > What does JWT do?

What does JWT do?

Guanhui
Release: 2023-03-01 17:34:01
Original
4507 people have browsed it

JWT is a popular cross-domain authentication solution. Its principle is to encrypt user information to generate a Token. Each time the server requests a request, it only needs to use the saved key to verify the correctness of the Token, and there is no need to save it again. Any Session data makes the server stateless.

What does JWT do?

jwt verification method is to encrypt user information to generate a token. Each time a request is made to the server, it only needs to use the saved key to verify the correctness of the token. There is no need to Any session data is saved, and the server becomes stateless, making it easy to expand.

User information before encryption, such as:

{
    "username": "vist",
    "role": "admin",
    "expire": "2018-12-08 20:20:20"
}
Copy after login

Token received by the client:

7cd357af816b907f2cc9acbe9c3b4625
Copy after login

JWT structure

A The token is divided into 3 parts:

  • header

  • payload

  • Signature(signature)

The three parts are separated by ".", such as:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Copy after login

Header

JWT The header part is a JSON object describing metadata, usually:

{
  "typ": "JWT",
  "alg": "HS256"
}
Copy after login

typ is the declaration type, specify "JWT"

alg is the encryption algorithm, the default is "HS256"

Load

The payload is the carrier of data, used to store the actual data information that needs to be transmitted, and is also a JSON object.

JWT official recommended fields:

  • iss: jwt issuer

  • sub: jwt for users

  • aud: The party receiving jwt

  • exp: The expiration time of jwt, this expiration time must be greater than the issuance time

  • nbf: Define the time before which the jwt is unavailable.

  • iat: The issuance time of the jwt

  • jti: The unique identity of jwt, mainly used as a one-time token to avoid replay attacks.

You can also use custom fields, such as:

{
    "username": "vist",
    "role": "admin"
}
Copy after login

Signature

The signature part is a comparison of the first two parts (header part, payload) to prevent data tampering.

Follow the following steps to generate:

1. Specify the secret first

2. Convert the header and payload information to base64 respectively

3. Use the algorithm specified in the header to encrypt

Finally, signature = HMACSHA256(base64UrlEncode(header) "." base64UrlEncode(payload),secret)

The signature obtained by the client:

header.payload.signature
Copy after login

The JWT can also be re-encrypted.

Recommended tutorial: "PHP"

The above is the detailed content of What does JWT do?. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
jwt
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template