JWT
What is a token?Token is a kind of string used for authentication. It is issued by the server, received by the client, and sent token information every time. The server recognizes the internal data of token and maintains the user's session.
What is the difference between HS256 and RS256?RS256 (RSA signature with SHA-256) is an asymmetric algorithm, which uses public / private key pair: identity provider uses private key to generate signature, and JWT user obtains public key to verify signature. Since public keys (as opposed to private keys) do not need protection, most identity providers make them easy to obtain and use (usually through a metadata URL).
On the other hand, HS256 (HMAC with SHA-256 is a symmetric algorithm, and only one key is shared between the two parties. Since the same key is used to generate and verify signatures, care must be taken to ensure that the key is not compromised.
tripartite
header.payload.signture
header
The header includes two parts, one is token type (JWT) and encryption algorithm type (HS256 or RS256). After setting the content, JWT will use Base64 to encode the header information and produce a string. Example: eyjhbgciojiuzi1niisinr5ccci6ikpxvcj9
{ "typ": "JWT", "alg": "HS256" } String header = "{\"typ\"=\"JWT\",\"alg\"=\"HS256\"}"; System.out.printf("header"+header); // base64 encryption String a = Base64.getEncoder().encodeToString(header.getBytes()); System.out.printf("a"+a); // base64 decryption byte[] b = Base64.getDecoder().decode(a); String b1 = new String(b); System.out.printf("b1"+b1); //eyJ0eXAiPSJKV1QiLCJhbGciPSJIUzI1NiJ9b1
payload
payload is used to store the specific information of Token, which can be customized information or standard fields, predefined by JWT
Public statement
Private statement
Declaration registered in the standard
The following are standard fields:
signature
This is a visa information, which consists of three parts:
After base64 encoding of header
After base64 of payload
secret
This part is used by the above header and payload parts. After connection, the encryption algorithm defined by the header head is used to add salt and secret combination encryption.
Demo code
maven
<dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.0</version> </dependency>
public class utils { // Private key private static final String SECRET_KEY = "this is a secret key"; public static void main(String[] args) { // Generate token String jwtToken = Jwts.builder() // head .setHeaderParam("typ", "JWT") // Statement in jwt annotation .setIssuedAt(new Date()) // Time filed .setExpiration(new Date(new Date().getTime() + 10000L))// Expiration time .setSubject("19930311")// jwt for customers .setIssuer("huan")// Issuer of jwt // Public statement and private statement .claim("user_id", "admin") .claim("user_name","liwei") .claim("user_pwd","123456") // visa .signWith(SignatureAlgorithm.HS256, SECRET_KEY.getBytes()) .compact(); System.out.println("Generated jwt token as follows:" + jwtToken); // Verify jwt Jws<Claims> claimsJws = Jwts.parser() // Verify issuer field iss must be huan .require("iss", "huan") // Set private key .setSigningKey(SECRET_KEY.getBytes()) // Parsing jwt strings .parseClaimsJws(jwtToken); // Get header information JwsHeader header = claimsJws.getHeader(); // Obtain load information Claims payload = claimsJws.getBody(); System.out.println("Resolved jwt Of header as follows:" + header.toString()); System.out.println("Resolved jwt Of payload as follows:" + payload.toString()); } }