JWT - JWT的结构

时间 2019/3/28 9:03:36 加载中...

What is the JSON Web Token structure?

JWT的结构

In its compact form, JSON Web Tokens consist of three parts separated by dots(.)
which are:

  • Header
  • Payload
  • Signature

JWT由三部分构成,三部分之间通过一个点(.)来分隔。

  • Header(头部)
  • Payload(负载)
  • Signature(签名)

Payload 就是JWT所携带的信息部分。
JWT就像一个货车在运输货物一样,所以把信息部分称为了 Payload。

Therefore, a JWT typically looks like the following.
xxxxx.yyyyy.zzzzz
Let’s break down the different parts.

因此,一个典型的JWT就长这个样子了:

xxxxx.yyyyy.zzzzz

下面让我们一部分一部分的来看

Header(头部)

The header typically consists of two parts: the type of the token,which is JWT, and the singing algorithm being used, such as HMAC SHA256 or RSA.

一个典型的头部包含两部分:

1、token的类型,即JWT。
2、生成签名所使用的方法,比如HMAC SHA256 或者 RSA。

  1. {
  2. "alg": "HS256",
  3. "typ": "JWT"
  4. }

Then, this JSON is Base64Url encoded to form the first part of the JWT.

然后,这个JSON串经过Base64加密后构成了JWT的第一部分。
xxxxx.yyyyy.zzzzzxxxxx 部分。

Payload(负载)

The second part of the token is the payload, which contains the claims. Claims are statements about an entity(typically, the user) and additional data. There are three types of claims: registered, public, and private claims.

JWT的第二部分就是 Payload(负载),负载中包含了“声明”。
“声明”包含了实体信息(通过是用户信息)和一些额外信息。
“声明”有3种类型:已有的/内置的(registered),公开的(public),私有的(private)。

内置声明(registered)

These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims.
Some of them are: iss(issuer), exp(expiration time), sub(subject) and others.

我们内置了一些有用的声明,这些声明不强制,但建议加上这些声明。
其中有:
iss(issuer):发行者
exp(expiration time):JWT的过期时间
sub(subject):主体

公开声明(public)

These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON WEB TOKEN Registry or be defined as a URI that contains a collision resistant namespace.

公开声明,你可以按自己的意愿,选择是否使用。但是为了避免冲突,建议使用已定义好的声明,链接在这里 IANA JSON WEB TOKEN Registry 或者 使用一个 抗冲突命名空间 的声明。

私有声明(private)

These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.

私有声明是双方协定的自定义的声明,这些声明不是 内置声明 也不是 公开声明

An example payload could be:

因此,一个典型的负载是这个样子的:

  1. {
  2. "sub": "1234567890",
  3. "name": "John Doe",
  4. "admin": true
  5. }

The payload is then Base64Url encoded to form the second part of the JSON Web Token.

上面的JOSN串经过Base64加密后构成了JWT的第二部分。

警告

Do note that for signed tokens his information, though protected against tampering, is readable by anyone. Do not put secret information in the payload or header elements of a JWT unless it is encrypted.

已加密的Token所包含的信息虽然不能被篡改,但是任何人都可以查看其内容,所以不要把私密信息存在负载或者头部中,除非已加密。

Signature(签名)

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

要想生成签名,你需要有 base64加密后的头部,base64加密后的负载,一个密钥,和 头部定义的 算法。

For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way.

假如,你在头部中定义的算法是 HMAC SHA256 ,那么签名的生成方式为:

  1. HMACSHA256(
  2. base64UrlEncode(header) + "." +
  3. base64UrlEncode(payload),
  4. secret)

The signature is used to verify the message wasn’t changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

签名被用于验证消息在传递过程中没有被篡改。如果是使用私钥加密的token,它还能验证JWT的发送人就是他所说的人。

三合一

The output is three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.

最后,3个经过base64加密的字符串合并后形成的结果,很容易在HTML和HTTP下传输。和像SAML的XML格式比起来也更紧凑些。

The following shows a JWT that has the previous header and payload encoded, and it is signed with a secret.

以上讲的“头部”,“负载”,“签名”合并之后,就是下面的样子。

If you want to play with JWT and put these concepts into practice, you can use jwt.io Debugger to decode, verify, and generate JWTs.

如果你也想动手试一试,可以在 jwt.io Debugger 做实验,这里可以解码,验证和生成JWT。

扫码分享
版权说明
作者:SQBER
文章来源:http://www.sqber.com/articles/json-web-token-structure.html
本文版权归作者所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。