JWT - JSON Web Tokens

时间 2019/3/25 21:47:56 加载中...

官网:
https://jwt.io/

What is JSON Web Token?

JSON Web Token是什么?

个人理解

JSON Web Token相当于我们的身份证,是证明 我就是我 的一个东西。
我们的身份证是一个卡片,而 JSON Web Token 是一个字符串,像这样:

{name:小明}

以后你就可以拿着这个 JWT,相当于身份证,来告诉别人,我是“小明”。
为了防止你修改或者别人修改这个 身份证(即JWT) 上的信息,给身份证盖了一个章。
也就是给 JWT 加了一个签名,这个签名是根据你内容来的,你改内容,签名就对不上了。

也就是说,我说我不是小明,我是李四,那么就露馅了,因为签名对不上。

官方文档

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

JSON Web Tokens 是一种开放的行业标准方法(RFC 7519),可以安全的用于两方之间的声明。

claims 有声明,代表之意。
假如有一个A和一个B,可以用JSON Web Tokens来向B声明我就是A。

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

JSON Web Token 是一种开放的行业标准方法(RFC 7519),它定义了一种简明且独立的方法,使得在各方之间可以使用JSON对象来安全的传递信息。
传递的信息是可以验证的,也是可以信任的,因为它经过了数字签名。
JWTs可以使用秘钥(使用HMAC算法)或者公钥/私钥(使用RSA或者ECDSA算法)来加密。

Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

虽然JWTs进行加密,还提供了双方之间的保密,但我们更需要关注签名令牌。签名令牌可以验证自己当中的声明的完整性,而加密后的令牌则隐藏了他方的声明。当使用公钥/私钥的形式加密时,签名还表明了只有拥有私钥的一方才是签署方。

JWTs are credentials, which can grant access to resources.

JWTS 是凭据,凭证,有了它就可以访问资源。所以要保管好。


When should you use JSON Web Tokens?

什么时候用 JSON Web Tokens?

Here are some scenarios where JSON Web Tokens are useful:

以下一些场景可以使用:

Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

授权:这是使用JWT最常见的一个情况。一旦用户登录,后续每次请求都带上JWT,这样用户就能访问受保护的服务和资源了,当然,是令牌能访问的资源,不一定是所有的服务器资源,可能有权限设置。
单点登录现在也广泛的使用JWT,因为JWT的开销很小,并且支持跨域使用。

Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with.

信息交换:如果想在两个工程间安全的传递信息,那么就可以使用JWT,因为JWT是可以加密的,比如你用 公钥/私钥 形式进行加密。发送人说是谁那就是谁(即JWT里面声明的我是小明,那么发送人就是小明,因为是加密的,没法修改)。另外,由于签名是通过头(header)和负载(payload)计算得来的,所以你也可以验证内容有没有被篡改。

Libraries for Token Signing/Verification

用于token生成和验证的库
https://github.com/jwtk/jjwt

https://auth0.com/docs/quickstart/webapp/java-spring-security-mvc
https://auth0.com/docs/flows/concepts/regular-web-app-login-flow#how-it-works
https://github.com/auth0-samples

扫码分享
版权说明
作者:SQBER
文章来源:http://www.sqber.com/articles/jwt.html
本文版权归作者所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。