JSON Web Token介绍 - jwt.io --- JSON Web Token Introduction - jwt.io(https://jwt.io/introduction)
What is JSON Web Token?
什么是 JSON Web 令牌?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
JSON Web 令牌 (JWT) 是一种开放标准 (RFC 7519),它定义了一种紧凑且独立的方式,用于将信息作为 JSON 对象在各方之间安全地传输。此信息可以验证和信任,因为它是数字签名的。可以使用密钥(使用 HMAC 算法)或使用 RSA 或 ECDSA 的公钥/私钥对 JWT 进行签名。
Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
尽管 JWT 可以加密以在各方之间提供保密性,但我们将重点关注签名代币。签名令牌可以验证其中包含的声明的完整性,而加密令牌则向其他方隐藏这些声明。当使用公钥/私钥对对令牌进行签名时,签名还证明只有持有私钥的一方才是签名的一方。
When should you use JSON Web Tokens?
何时应使用 JSON Web 令牌?
Here are some scenarios where JSON Web Tokens are useful:
下面是 JSON Web 令牌有用的一些方案:
-
Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
授权:这是使用 JWT 的最常见方案。用户登录后,每个后续请求都将包含 JWT,从而允许用户访问该令牌允许的路由、服务和资源。单点登录是当今广泛使用 JWT 的一项功能,因为它的开销小且能够跨不同域轻松使用。 -
Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.
信息交换:JSON Web 令牌是在各方之间安全传输信息的好方法。由于 JWT 可以签名(例如,使用公钥/私钥对),因此您可以确定发送者是他们所说的人。此外,由于签名是使用标头和有效负载计算的,因此还可以验证内容是否未被篡改。
What is the JSON Web Token structure?
什么是 JSON Web 令牌结构?
In its compact form, JSON Web Tokens consist of three parts separated by dots ( . ), which are:
在其紧凑的形式中,JSON Web 令牌由三个部分组成,用点 ( . ) 分隔,它们是:
-
Header 页眉
-
Payload 有效载荷
-
Signature 签名
Therefore, a JWT typically looks like the following.
因此,JWT 通常如下所示。
xxxxx.yyyyy.zzzzz
Let's break down the different parts.
让我们分解不同的部分。
Header 页眉
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
标头通常由两部分组成:令牌类型(即 JWT)和正在使用的签名算法(如 HMAC SHA256 或 RSA)。
For example: 例如:
{
"alg": "HS256",
"typ": "JWT"
}
Then, this JSON is Base64Url encoded to form the first part of the JWT.
然后,将此 JSON 编码为 Base64Url,以形成 JWT 的第一部分。
Payload 有效载荷
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
令牌的第二部分是有效负载,其中包含声明。声明是关于实体(通常为用户)和其他数据的陈述。索赔分为三种类型:注册索赔、公共索赔和私人索赔。
- Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.
已注册声明:这些是一组预定义的声明,这些声明不是强制性的,但建议提供一组有用的、可互操作的声明。其中一些是:iss(发行者)、exp(过期时间)、sub(主题)、aud(受众)等。
Notice that the claim names are only three characters long as JWT is meant to be compact.
请注意,声明名称只有三个字符长,因为 JWT 旨在紧凑。
-
Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
公开声明:这些可以由使用 JWT 的人随意定义。但为了避免冲突,应在 IANA JSON Web 令牌注册表中定义它们,或将其定义为包含抗冲突命名空间的 URI。 -
Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.
私人声明:这些是为在同意使用它们的各方之间共享信息而创建的自定义声明,既不是注册声明也不是公开声明。
An example payload could be:
有效负载示例可以是:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
The payload is then Base64Url encoded to form the second part of the JSON Web Token.
然后对有效负载进行 Base64Url 编码,以形成 JSON Web 令牌的第二部分。
Do note that for signed tokens this information, though protected against tampering, is readable by anyone. Do not put secret information in the payload or header elements of a JWT unless it is encrypted.
请注意,对于签名令牌,此信息虽然可以防止篡改,但任何人都可以读取。除非 JWT 已加密,否则不要将机密信息放在 JWT 的有效负载或标头元素中。
Signature 签名
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
要创建签名部分,您必须获取编码的标头、编码的有效负载、机密、标头中指定的算法,并对其进行签名。
For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
例如,如果要使用 HMAC SHA256 算法,将按以下方式创建签名:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
签名用于验证消息在此过程中未更改,并且,对于使用私钥签名的令牌,它还可以验证 JWT 的发送者是否是它所说的人。
Putting all together 把所有东西放在一起
The output is three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.
输出是三个由点分隔的 Base64-URL 字符串,可以在 HTML 和 HTTP 环境中轻松传递,同时与基于 XML 的标准(如 SAML)相比更紧凑。
发表评论