-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathjwt.html
413 lines (375 loc) · 18.9 KB
/
jwt.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Dino Lai Software Blogs include Notes, Records and Resources">
<meta name="keywords" content="Programming,System,Coding,Software Develop">
<meta name="author" content="Dino Lai">
<title>JWT - JSON Web Token - Dinote</title>
<!-- Facebook Open Graph -->
<meta property="og:url" content="https://dinolai.com/notes/web/jwt.html" />
<meta property="og:type" content="article" />
<meta property="og:title" content="JWT - JSON Web Token - Dinote" />
<meta property="og:description" content="Dino Lai Software Blogs include Notes, Records and Resources" />
<meta property="og:image" content="https://dinolai.com/assets/images/logo-icon-name.png" />
<!-- End Facebook Open Graph -->
<link rel="icon" href="/favicon.png" type="image/png">
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
crossorigin="anonymous">
<!-- Optional theme -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp"
crossorigin="anonymous">
<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.4.1/styles/vs.min.css">
<link rel="stylesheet" href="/node_modules/github-markdown-css/github-markdown.css">
<link rel="stylesheet" href="/assets/css/layout.css">
<script src="/assets/js/google-tags.js"></script>
</head>
<body>
<nav class="navbar navbar-inverse">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false"
aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">Dinote</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li id="info-link"><a href="/info">Info</a></li>
<li id="notes-link"><a href="/notes">Notes</a></li>
<li id="toys-link"><a href="/toys">Toys</a></li>
<li id="slides-link"><a href="/slides">Slides</a></li>
<li id="books-link"><a href="/books">Books</a></li>
<li><a href="https://photos.app.goo.gl/VQy1qPDjKNdcm8Qc6" target="_blank" rel="noopener">Records</a></li>
<li><a href="https://www.xmind.net/share/dinos80152/" target="_blank" rel="noopener">MindMaps</a></li>
</ul>
<form id="search-form" class="navbar-form navbar-right" role="search">
<div class="form-group">
<input id="search-input" type="text" class="form-control" placeholder="Search">
</div>
<button type="submit" class="btn btn-default">Submit</button>
</form>
</div>
</div>
<!--/.nav-collapse -->
</div>
</nav>
<div class="container">
<div class="row">
<div class="col-lg-9">
<article class="markdown-body">
<header>Updated: 2018-09-26 02:21:10 CST +08</header>
<main>
<h1 id="jwt-json-web-token">JWT - JSON Web Token</h1>
<h2 id="purpose">Purpose</h2>
<p>Store data in client side, which could be read by can’t be modified.</p>
<ul>
<li>Authentication</li>
<li>Authorization</li>
</ul>
<h2 id="structure">Structure</h2>
<p><code>base64(header).base64(payload).signature</code></p>
<blockquote>
<p>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9<strong>.</strong>eyJpc3MiOiJEaW5vIExhaSIsInN1YiI6ImRpbm9zODAxNTJAZ21haWwuY29tIiwiYXVkIjoiZGlub2xhaS5jb20iLCJleHAiOjE1MzczNTcyNjIsImlhdCI6MTUzNzM1NzE2MiwidXNlcklkIjo4MDE1Mn0<strong>.</strong>YaLyoBs8z5Va7YsIQaC6uEZDw8GZHBiV_2hIUSVQYUs</p>
</blockquote>
<h3 id="header">Header</h3>
<pre><code class="language-json">{
"alg": "HS256", // algorithm
"typ": "JWT" // type
}
</code></pre>
<h3 id="payload">Payload</h3>
<pre><code class="language-json">{
"iss": "Dino Lai", // issuer
"sub": "[email protected]", // subject
"aud": "dinolai.com", // audience
"exp": 1537357262, // expiration time
"iat": 1537357162, // issued at
"userId": 80152 // custom field
}
</code></pre>
<h3 id="signature">Signature</h3>
<p>Encrypt by algorithm defined in header</p>
<pre><code class="language-sh">HmacSHA256(base64(header)+"."+base64(payload), $secret)
</code></pre>
<h2 id="flow">Flow</h2>
<pre><code class="language-mermaid">sequenceDiagram
Client->>Auth Server: login
Auth Server->>Auth Server: authenticate
Auth Server->>Auth Server: get user id
opt Generate JWT
Auth Server->>Auth Server: get JWT header
note right of Auth Server: {"alg": "HS256", "typ": "JWT"}
Auth Server->>Auth Server: base64 encode JWT header
note right of Auth Server: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Auth Server->>Auth Server: put user id in JWT payload
note right of Auth Server: {"iss": "Dino Lai", "sub": "[email protected]", "aud": "dinolai.com", "exp": 1537357262, "iat": 1537357162 ,"userId": 80152}
Auth Server->>Auth Server: base64 encode JWT payload
note right of Auth Server: eyJpc3MiOiJEaW5vIExhaSIsInN1YiI6ImRpbm9zODAxNTJAZ21haWwuY29tIiwiYXVkIjoiZGlub2xhaS5jb20iLCJleHAiOjE1MzczNTcyNjIsImlhdCI6MTUzNzM1NzE2MiwidXNlcklkIjo4MDE1Mn0
Auth Server->>Auth Server: generate signature: HS256(base64(header)+"."+base64(payload), secret)
note right of Auth Server: lNSYE_dZuNPCjCf9ybMfIDiUJ4CXFZCqOn5zpJ5oqPY
Auth Server->>Auth Server: put it all together by [header].[payload].[signature]
note right of Auth Server: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.<br/>eyJpc3MiOiJEaW5vIExhaSIsInN1YiI6ImRpbm9zODAxNTJAZ21haWwuY29tIiwiYXVkIjoiZGlub2xhaS5jb20iLCJleHAiOjE1MzczNTcyNjIsImlhdCI6MTUzNzM1NzE2MiwidXNlcklkIjo4MDE1Mn0.<br/>YaLyoBs8z5Va7YsIQaC6uEZDw8GZHBiV_2hIUSVQYUs
end
alt cookie
Auth Server->>Client: send cookie with JWT
note over Client, Auth Server: set-cookie: jwt=xxx, Http-only, max-age=...
else header
Auth Server->>Client: response with header
note over Client, Auth Server: Authorization: Bearer <jwt>
end
Client->>Application Server: request with JWT
opt verify JWT
Application Server->>Application Server: check signature to prevent data tamper
note left of Application Server: generate signature by header and payload,<br/> is the same as request signature?
Application Server->>Application Server: check expiration
note right of Application Server: check exp field in payload
Application Server->>Application Server: check owner
note right of Application Server: check aud field in payload
end
alt is Fail
Application Server->>Client: 401 UNAUTHORIZED
else is OK
Application Server->>Application Server: read user id from JWT
end
</code></pre>
<h2 id="comparison">Comparison</h2>
<table>
<thead>
<tr>
<th>Comparison</th>
<th>JWT</th>
<th>Cookie</th>
<th>Session</th>
</tr>
</thead>
<tbody>
<tr>
<td>Side</td>
<td>Client</td>
<td>Client</td>
<td>Server</td>
</tr>
<tr>
<td>Visible</td>
<td>✓</td>
<td>✓</td>
<td>☓</td>
</tr>
<tr>
<td>Tamper</td>
<td>☓</td>
<td>✓</td>
<td>☓</td>
</tr>
<tr>
<td>Identify</td>
<td>✓</td>
<td>☓</td>
<td>✓</td>
</tr>
<tr>
<td>additional resource</td>
<td>spend computing for en/decode, encrypt</td>
<td></td>
<td>diskIO or network IO</td>
</tr>
</tbody>
</table>
<h2 id="reference">Reference</h2>
<ul>
<li><a href="https://jwt.io/">JSON Web Tokens - jwt.io</a></li>
<li><a href="http://blog.leapoahead.com/2015/09/06/understanding-jwt/">JSON Web Token - 在Web应用间安全地传递信息</a></li>
<li><a href="http://blog.leapoahead.com/2015/09/07/user-authentication-with-jwt/">八幅漫画理解使用JSON Web Token设计单点登录系统</a></li>
</ul>
<gcse:searchresults-only></gcse:searchresults-only>
</main>
</article>
<hr>
<div id="disqus_thread"></div>
</div>
<div class="col-lg-3">
<aside>
<section class="panel panel-grey">
<div class="panel-heading clickable" data-toggle="collapse" data-target="#notes-list-all" aria-controls="notes-list-all">
Notes Categories
</div>
<ul id="notes-list-all" class="list-group collapse in" aria-expanded="true">
<li class="list-group-item">
<a href="/notes#aws">AWS</a>
</li>
<li class="list-group-item">
<a href="/notes#books">Books</a>
</li>
<li class="list-group-item">
<a href="/notes#development">Development</a>
</li>
<li class="list-group-item">
<a href="/notes#php">PHP</a>
</li>
<li class="list-group-item">
<a href="/notes#laravel">Laravel</a>
</li>
<li class="list-group-item">
<a href="/notes#golang">Golang</a>
</li>
<li class="list-group-item">
<a href="/notes#git">Git</a>
</li>
<li class="list-group-item">
<a href="/notes#database">Database</a>
</li>
<li class="list-group-item">
<a href="/notes#linux">Linux</a>
</li>
<li class="list-group-item">
<a href="/notes#system">System</a>
</li>
<li class="list-group-item">
<a href="/notes#web">Web</a>
</li>
<li class="list-group-item">
<a href="/notes#editor">Editor</a>
</li>
<li class="list-group-item">
<a href="/notes#os">OS</a>
</li>
<li class="list-group-item">
<a href="/notes#others">Others</a>
</li>
</ul>
</section>
<section class="panel panel-grey">
<div class="panel-heading">Tutorial by Code Example</div>
<ul id="links-list-all" class="list-group">
<li class="list-group-item">
<a href="https://github.com/dinos80152/hackme" target="_blank" rel="noopener">Hack Me</a>
</li>
<li class="list-group-item">
<a href="https://github.com/dinos80152/php-tutorial" target="_blank" rel="noopener">PHP Tutorial</a>
</li>
<li class="list-group-item">
<a href="https://github.com/dinos80152/php-design-pattern-lol" target="_blank" rel="noopener">PHP Design Patterns</a>
</li>
<li class="list-group-item">
<a href="https://github.com/dinos80152/laravel5-example" target="_blank" rel="noopener">Laravel5 Examples</a>
</li>
<li class="list-group-item">
<a href="https://github.com/dinos80152/lairavel" target="_blank" rel="noopener">Web Framework Implementation</a>
</li>
</ul>
</section>
<section class="panel panel-grey">
<div class="panel-heading">Links</div>
<ul id="links-list-all" class="list-group">
<li class="list-group-item">
<i class="fa fa-github fa-fw" aria-hidden="true"></i>
<a href="https://github.com/dinos80152" target="_blank" rel="noopener"> Github</a>
</li>
<li class="list-group-item">
<i class="fa fa-facebook fa-fw" aria-hidden="true"></i>
<a href="https://www.facebook.com/dinolai.note/" target="_blank" rel="noopener"> Facebook</a>
</li>
<li class="list-group-item">
<i class="fa fa-get-pocket fa-fw" aria-hidden="true"></i>
<a href="https://getpocket.com/@dinos80152" target="_blank" rel="noopener"> Pocket</a>
</li>
<li class="list-group-item">
<i class="fa fa-flickr fa-fw" aria-hidden="true"></i>
<a href="https://photos.app.goo.gl/VQy1qPDjKNdcm8Qc6" target="_blank" rel="noopener"> Photos</a>
</li>
<li class="list-group-item">
<i class="fa fa-linkedin fa-fw" aria-hidden="true"></i>
<a href="https://www.linkedin.com/in/dinolai" target="_blank" rel="noopener"> LinkedIn</a>
</li>
<li class="list-group-item">
<i class="fa fa-envelope fa-fw" aria-hidden="true"></i>
<a href="mailto:[email protected]"> Mail</a>
</li>
</ul>
</section>
</aside>
</div>
</div>
</div>
<footer>
<p>© Copyright 2015-2017 by Dino Lai. All Rights Reserved.</p>
</footer>
</body>
<!-- Disqus Block -->
<script>
var disqus_config = function () {
this.page.url = location.href; // Replace PAGE_URL with your page's canonical URL variable
this.page.identifier = location.pathname + location.hash; // Replace PAGE_IDENTIFIER with your page's unique identifier variable
};
(function () { // DON'T EDIT BELOW THIS LINE
var d = document,
s = d.createElement('script');
s.src = '//dinolai.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
<script id="dsq-count-scr" src="//dinolai.disqus.com/count.js" async></script>
<!--End Disqus Block-->
<script src="/assets/js/google-search.js"></script>
<script src="https://code.jquery.com/jquery-3.1.1.slim.min.js" integrity="sha384-A7FZj7v+d/sdmMqp/nOQwliLvUsJfDHW+k9Omg/a/EheAdgtzNs3hpfag6Ed950n"
crossorigin="anonymous"></script>
<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.4.1/highlight.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.4.1/languages/go.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.4.1/languages/dockerfile.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.4.1/languages/yaml.min.js"></script>
<script src="/bower_components/bower-webfontloader/webfont.js"></script>
<script src="/bower_components/snap.svg/dist/snap.svg-min.js"></script>
<script src="/bower_components/underscore/underscore-min.js"></script>
<script src="/bower_components/js-sequence-diagrams/dist/sequence-diagram-min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/raphael/2.2.7/raphael.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/flowchart/1.6.6/flowchart.min.js"></script>
<script src="https://unpkg.com/[email protected]/dist/mermaid.min.js"></script>
<script>
$(document).ready(function () {
// enable highlight.js
$('pre code').each(function (i, block) {
hljs.highlightBlock(block);
});
//use bootstrap css
$("table").addClass("table table-striped")
// use jsSequence
var options = {
theme: "simple"
}
$("pre code.language-sequence").sequenceDiagram(options);
// use flowchart.js
document.querySelectorAll("pre code.language-flow").forEach(function (element, index) {
let md = element.textContent;
element.innerHTML = "";
let id = "flowchart" + index;
element.id = id;
flowchart.parse(md).drawSVG(id);
}, this);
// use mermaid
mermaid.init(undefined, $("pre code.language-mermaid"));
// navbar button active highlight
$("div#navbar div.row ul.nav li").removeClass("active");
parentDir = location.pathname.split("/")[1];
$("#" + parentDir + "-link").addClass("active")
// integrate google custom search
$("#search-form").submit(function (event) {
event.preventDefault();
location.href = location.protocol + "//" + location.host + "/search?q=" + $("#search-input").val();
});
});
</script>
</body>
</html>