jwt is just an abbreviation, and the full spelling is JSON Web Tokens. It is a popular cross-domain authentication solution, a JSON-based token used to declare certain claims on the network.
JWT Principle
jwt verification method is to encrypt user information to generate a token. Each time the server requests only It is necessary to use the saved key to verify the correctness of the token. There is no need to save any session data, and the server becomes stateless and easy to expand.
User information before encryption, such as:
{ "username": "vist", "role": "admin", "expire": "2018-12-08 20:20:20" }
Token received by the client:
7cd357af816b907f2cc9acbe9c3b4625
JWT structure
A The token is divided into 3 parts:
header
payload
Signature(signature)
The three parts are separated by ".", such as:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
JWT The header part is a JSON object describing metadata, usually:
{ "typ": "JWT", "alg": "HS256" }
typ is the declaration type, specify "JWT"
alg is the encryption algorithm, the default is "HS256"
can also be the following algorithm:
Load
The payload is the carrier of data, used To store the actual data information that needs to be transmitted, it is also a JSON object.
JWT official recommended fields:
iss: jwt issuer
sub: jwt for users
aud: The party receiving jwt
exp: The expiration time of jwt, this expiration time must be greater than the issuance time
nbf: Define the time before which the jwt is unavailable.
iat: The issuance time of the jwt
jti: The unique identity of jwt, mainly used as a one-time token to avoid replay attacks.
You can also use custom fields, such as:
{ "username": "vist", "role": "admin" }
Signature
The signature part is a comparison of the first two parts (header part, payload) to prevent data tampering.
Follow the following steps to generate:
1. Specify the secret first
2. Convert the header and payload information to base64 respectively
3. Use the algorithm specified in the header to encrypt
Finally, signature = HMACSHA256(base64UrlEncode(header) "." base64UrlEncode(payload),secret)
The signature obtained by the client:
header.payload.signature
The JWT can also be re-encrypted.
JWT usage
1. The server encrypts the user information into the token according to the user's login status and returns it to the client
2. Client The client receives the token returned by the server and stores it in the cookie
3. Each communication between the client and the server brings the token, which can be placed in the http request header information, such as: in the Authorization field
4. The server decrypts the token, verifies the content, and completes the corresponding logic
JWT features
JWT is more concise and more suitable for use in Passed in HTML and HTTP environments
JWT is suitable for one-time verification, such as: activation email
JWT is suitable for stateless authentication
JWT is suitable for server-side CDN content distribution
It is more time-saving than database Session query
JWT is not encrypted by default
You cannot cancel the token or change the permissions of the token during use
JWT recommends using the HTTPS protocol to transmit the code
The above is the detailed content of what is jwt. For more information, please follow other related articles on the PHP Chinese website!