what is jwt

jwt is just an abbreviation, and the full spelling is JSON Web Tokens. It is a popular cross-domain authentication solution, a JSON-based token used to declare certain claims on the network.

JWT Principle

jwt verification method is to encrypt user information to generate a token. Each time the server requests only It is necessary to use the saved key to verify the correctness of the token. There is no need to save any session data, and the server becomes stateless and easy to expand.

User information before encryption, such as:

{
    "username": "vist",
    "role": "admin",
    "expire": "2018-12-08 20:20:20"
}

Token received by the client:

7cd357af816b907f2cc9acbe9c3b4625

JWT structure

A The token is divided into 3 parts:

• header

• payload

• Signature(signature)

The three parts are separated by ".", such as:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

JWT The header part is a JSON object describing metadata, usually:

{
  "typ": "JWT",
  "alg": "HS256"
}

typ is the declaration type, specify "JWT"

alg is the encryption algorithm, the default is "HS256"

can also be the following algorithm:

Load

The payload is the carrier of data, used To store the actual data information that needs to be transmitted, it is also a JSON object.

JWT official recommended fields:

• iss: jwt issuer

• sub: jwt for users

• aud: The party receiving jwt

• exp: The expiration time of jwt, this expiration time must be greater than the issuance time

• nbf: Define the time before which the jwt is unavailable.

• iat: The issuance time of the jwt

• jti: The unique identity of jwt, mainly used as a one-time token to avoid replay attacks.

You can also use custom fields, such as:

{
    "username": "vist",
    "role": "admin"
}

Signature

The signature part is a comparison of the first two parts (header part, payload) to prevent data tampering.

Follow the following steps to generate:

1. Specify the secret first

2. Convert the header and payload information to base64 respectively

3. Use the algorithm specified in the header to encrypt

Finally, signature = HMACSHA256(base64UrlEncode(header) "." base64UrlEncode(payload),secret)

The signature obtained by the client:

header.payload.signature

The JWT can also be re-encrypted.

JWT usage

1. The server encrypts the user information into the token according to the user's login status and returns it to the client

2. Client The client receives the token returned by the server and stores it in the cookie

3. Each communication between the client and the server brings the token, which can be placed in the http request header information, such as: in the Authorization field

4. The server decrypts the token, verifies the content, and completes the corresponding logic

JWT features

• JWT is more concise and more suitable for use in Passed in HTML and HTTP environments

• JWT is suitable for one-time verification, such as: activation email

• JWT is suitable for stateless authentication

• JWT is suitable for server-side CDN content distribution

• It is more time-saving than database Session query

• JWT is not encrypted by default

• You cannot cancel the token or change the permissions of the token during use

• JWT recommends using the HTTPS protocol to transmit the code

The above is the detailed content of what is jwt. For more information, please follow other related articles on the PHP Chinese website!