What is JWT in java jwt token?

Links to the original text: http://www.leftso.com/blog/220.html

Reprint: http://www.leftso.com/blog/220.html There are other good blog articles and special collections for learning and sharing.

First, what is JWT? Understanding JWT and Cognizing JWT

First of all, jwt is actually the abbreviation of three English words JSON Web Token. You may have a basic knowledge by using your full name. Token is generally used for authentication, for example, the commonly used user login token in our system can be used to authenticate whether the user is logged in or not. jwt is also often used as a safe token.

Definition of JWT:
JWT is a concise, URL-safe, expressive declaration specification for transferring security information between two parties. As an open standard (RFC 7519), JWT defines a concise, self-contained method for safely transferring information between communicating parties in the form of Json objects. Because of the existence of digital signatures, the information is credible. JWT can use HMAC algorithm or RSA public-private key pairs for signature.
JWT features:

  • Compact: It can be sent by URL, POST parameter or HTTP header because of the small amount of data and the fast transmission speed.

  • Self-contained: The load contains all the information that users need, avoiding multiple queries to the database.

Second, what is the composition of JWT or JWT?

2.1.JWT structure
JWT consists of three parts separated by English'. '

  1. Header head
  2. Payload load
  3. Signature signature

Note that the order is header.payload.signature
The final structure is somewhat like this:

leftso.com.blog

Of course, the real jwt can't be such a simple plain text

2.2.JWT Header
There are usually two parts in header: token type and encryption algorithm. As follows:

{
  "alg": "HS256",
  "typ": "JWT"
}  

The JSON content above specifies that the current encryption method is HS256 and the token type is jwt.

By encoding the above content in base64, we can get the head of our JWT. After encoding, we can see as follows:
(This site provides online base64 encoding/decoding tools for readers to test)

ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIgp9ICA=


2.3. Payload of JWT
Payload is the second part of JWT. The JWT standard defines several basic fields

  1. iss: the issuer of the JWT
  2. sub: Users for the JWT
  3. aud: The party that receives the JWT
  4. exp(expires): When does it expire? Here's a Unix timestamp
  5. iat(issued at): When was it issued?


In addition to the standard defined fields, we also need to define some fields that we need to use in business processing, such as user token, which can generally contain the token or user id of user login. A simple example is as follows:

{
    "iss": "Lefto.com",
    "iat": 1500218077,
    "exp": 1500218077,
    "aud": "www.leftso.com",
    "sub": "leftso@qq.com",
    "user_id": "dc2c4eefe2d141490b6ca612e252f92e",
    "user_token": "09f7f25cdb003699cee05759e7934fb2"
}

The user_id and user_token above are all fields defined by ourselves.

Now we need to encode the whole part of the load with base64. The results are as follows:

ewogICAgImlzcyI6ICJMZWZ0by5jb20iLAogICAgImlhdCI6IDE1MDAyMTgwNzcsCiAgICAiZXhwIjogMTUwMDIxODA3NywKICAgICJhdWQiOiAid3d3LmxlZnRzby5jb20iLAogICAgInN1YiI6ICJsZWZ0c29AcXEuY29tIiwKICAgICJ1c2VyX2lkIjogImRjMmM0ZWVmZTJkMTQxNDkwYjZjYTYxMmUyNTJmOTJlIiwKICAgICJ1c2VyX3Rva2VuIjogIjA5ZjdmMjVjZGIwMDM2OTljZWUwNTc1OWU3OTM0ZmIyIgp9


2.4.Signature
Signature is actually a signature verification for the head and load integration of JWT
First, you need to link the header and the load. Link it up like this: header.Payload, which is what happens after linking the examples above:

ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIgp9ICA=.ewogICAgImlzcyI6ICJMZWZ0by5jb20iLAogICAgImlhdCI6IDE1MDAyMTgwNzcsCiAgICAiZXhwIjogMTUwMDIxODA3NywKICAgICJhdWQiOiAid3d3LmxlZnRzby5jb20iLAogICAgInN1YiI6ICJsZWZ0c29AcXEuY29tIiwKICAgICJ1c2VyX2lkIjogImRjMmM0ZWVmZTJkMTQxNDkwYjZjYTYxMmUyNTJmOTJlIiwKICAgICJ1c2VyX3Rva2VuIjogIjA5ZjdmMjVjZGIwMDM2OTljZWUwNTc1OWU3OTM0ZmIyIgp9


Since the HMacSHA256 encryption algorithm requires a key, let's use leftso for key temporarily.

The encrypted contents are as follows:

686855c578362e762248f22e2cc1213dc7a6aff8ebda52247780eb6b5ae91877


Actually, the encrypted content is also the signature of JWT, which is similar to MD5 encryption for a file and MD5 comparison for the received file. But the HMacSHA256 algorithm here needs a key, which should be known by both the user and the receiver.

base64 encoding of the above signature content to get the final signature

Njg2ODU1YzU3ODM2MmU3NjIyNDhmMjJlMmNjMTIxM2RjN2E2YWZmOGViZGE1MjI0Nzc4MGViNmI1YWU5MTg3Nw==


2.5 Final JWT

ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIgp9ICA=.ewogICAgImlzcyI6ICJMZWZ0by5jb20iLAogICAgImlhdCI6IDE1MDAyMTgwNzcsCiAgICAiZXhwIjogMTUwMDIxODA3NywKICAgICJhdWQiOiAid3d3LmxlZnRzby5jb20iLAogICAgInN1YiI6ICJsZWZ0c29AcXEuY29tIiwKICAgICJ1c2VyX2lkIjogImRjMmM0ZWVmZTJkMTQxNDkwYjZjYTYxMmUyNTJmOTJlIiwKICAgICJ1c2VyX3Rva2VuIjogIjA5ZjdmMjVjZGIwMDM2OTljZWUwNTc1OWU3OTM0ZmIyIgp9.Njg2ODU1YzU3ODM2MmU3NjIyNDhmMjJlMmNjMTIxM2RjN2E2YWZmOGViZGE1MjI0Nzc4MGViNmI1YWU5MTg3Nw==

Keywords: encoding JSON Database Unix

Added by Nugen on Tue, 10 Sep 2019 09:15:31 +0300