JWT detailed instructions for use


What is a token?

Token is a kind of string used for authentication. It is issued by the server, received by the client, and sent token information every time. The server recognizes the internal data of token and maintains the user's session.

What is the difference between HS256 and RS256?

RS256 (RSA signature with SHA-256) is an asymmetric algorithm, which uses public / private key pair: identity provider uses private key to generate signature, and JWT user obtains public key to verify signature. Since public keys (as opposed to private keys) do not need protection, most identity providers make them easy to obtain and use (usually through a metadata URL).
On the other hand, HS256 (HMAC with SHA-256 is a symmetric algorithm, and only one key is shared between the two parties. Since the same key is used to generate and verify signatures, care must be taken to ensure that the key is not compromised.

JWT structure




The header includes two parts, one is token type (JWT) and encryption algorithm type (HS256 or RS256). After setting the content, JWT will use Base64 to encode the header information and produce a string. Example: eyjhbgciojiuzi1niisinr5ccci6ikpxvcj9

  "typ": "JWT",
  "alg": "HS256"

String header = "{\"typ\"=\"JWT\",\"alg\"=\"HS256\"}";
// base64 encryption
String a = Base64.getEncoder().encodeToString(header.getBytes());

// base64 decryption
byte[] b = Base64.getDecoder().decode(a);
String b1 = new String(b);


payload is used to store the specific information of Token, which can be customized information or standard fields, predefined by JWT
Public statement
Private statement
Declaration registered in the standard
The following are standard fields:

iss: Issuer, Token Issuer
 Subject: sub ject, Jwt for users
 aud: Audience, the receiving party of jwt
 exp: Expiration time, Token Expiration time
 nbf: Not before a Token is not available before a certain time is defined
 iat: Issued at, token issue time
 jti: JWT ID token identity to avoid repeated replay attacks


This is a visa information, which consists of three parts:
After base64 encoding of header
After base64 of payload
This part is used by the above header and payload parts. After connection, the encryption algorithm defined by the header head is used to add salt and secret combination encryption.

Demo code


public class utils {
    // Private key
    private static final String SECRET_KEY = "this is a secret key";

    public static void main(String[] args) {
        // Generate token
        String jwtToken = Jwts.builder()
                // head
                .setHeaderParam("typ", "JWT")

                // Statement in jwt annotation
                .setIssuedAt(new Date()) // Time filed 
                .setExpiration(new Date(new Date().getTime() + 10000L))// Expiration time
                .setSubject("19930311")// jwt for customers
                .setIssuer("huan")// Issuer of jwt
                // Public statement and private statement
                .claim("user_id", "admin")
                // visa
                .signWith(SignatureAlgorithm.HS256, SECRET_KEY.getBytes())
        System.out.println("Generated jwt token as follows:" + jwtToken);

        // Verify jwt
        Jws<Claims> claimsJws = Jwts.parser()
                // Verify issuer field iss must be huan
                .require("iss", "huan")
                // Set private key
                // Parsing jwt strings

        // Get header information
        JwsHeader header = claimsJws.getHeader();
        // Obtain load information
        Claims payload = claimsJws.getBody();

        System.out.println("Resolved jwt Of header as follows:" + header.toString());
        System.out.println("Resolved jwt Of payload as follows:" + payload.toString());

Tags: Session encoding Maven

Posted on Wed, 24 Jun 2020 02:18:22 -0400 by nickmanners