发布日期:2018-07-18 15:36:58
JWT: JSON Web Token, 是一个Open standard for Passing claims (Security information) Between two paties. 申明传输。它是:
- Self-containded: carries all the informaiton necessary within itself.
- JSON object on its own.
主要被用在:Mainly used in web applications (or services)
- Can be used in javascript, node.hs, java,.net, Python,PHP, Ruby etc.
- Can be used/passed as part of URL(Query String), form boday parameter, cookie or HTTP HEader(x-access-token)
- Greate for Single sign on.
JWT是传统session based的authentication的复杂问题的解决方案。
JWT由三部分组成: Three Sections separated with dots.
- header, payload and signature
- All are base 64 encoded。 因为只是base64 encode, 所以是可以被decoded的,但是由于signature的存在是不可以被篡改的(单向hash)。当然,payload中的内容可以在encoded之前在做encrytion,这样可以更安全。
Header - Usually contains 2 parts,in the form of JSON
- typ - should be JWT
- alg - hashing algorithm(HS256, RS512, ES384 etc)
Payload 包含但不限于下面的信息
- the information which we need to transmit 一些我们自定义的想要传输的信息
- the information related to token itself 一些关于token本身的信息,如issuer, expiration time等
- informaiton is JSON representation of claims(key:value)
Signature
a hash of header and payload
JWT = header + payload + signature
JWT现实中的具体使用
一些online tools来测试JWT
Create JWT的在线工具:
- http://jwtbuilder.jamiekurtz.com
- http://kjur.github.io/jsjws/tool_jwt.html
验证JWT的在线工具
- http://jwt.io/
Base64 encode/decode的在线工具:
- https://www.base64encode.org
- https://www.base64decode.org
参考资料:
https://www.youtube.com/watch?v=oXxbB5kv9OA