JWT detailed instructions for use

JWT What is a token? What is the difference between HS256 and RS256? JWT structure tripartite header payload signatur...
tripartite

JWT

What is a token?

Token is a kind of string used for authentication. It is issued by the server, received by the client, and sent token information every time. The server recognizes the internal data of token and maintains the user's session.

What is the difference between HS256 and RS256?

RS256 (RSA signature with SHA-256) is an asymmetric algorithm, which uses public / private key pair: identity provider uses private key to generate signature, and JWT user obtains public key to verify signature. Since public keys (as opposed to private keys) do not need protection, most identity providers make them easy to obtain and use (usually through a metadata URL).
On the other hand, HS256 (HMAC with SHA-256 is a symmetric algorithm, and only one key is shared between the two parties. Since the same key is used to generate and verify signatures, care must be taken to ensure that the key is not compromised.

JWT structure

tripartite

header.payload.signture

header

The header includes two parts, one is token type (JWT) and encryption algorithm type (HS256 or RS256). After setting the content, JWT will use Base64 to encode the header information and produce a string. Example: eyjhbgciojiuzi1niisinr5ccci6ikpxvcj9

{ "typ": "JWT", "alg": "HS256" } String header = "{\"typ\"=\"JWT\",\"alg\"=\"HS256\"}"; System.out.printf("header"+header); // base64 encryption String a = Base64.getEncoder().encodeToString(header.getBytes()); System.out.printf("a"+a); // base64 decryption byte[] b = Base64.getDecoder().decode(a); String b1 = new String(b); System.out.printf("b1"+b1); //eyJ0eXAiPSJKV1QiLCJhbGciPSJIUzI1NiJ9b1

payload

payload is used to store the specific information of Token, which can be customized information or standard fields, predefined by JWT
Public statement
Private statement
Declaration registered in the standard
The following are standard fields:

iss: Issuer, Token Issuer Subject: sub ject, Jwt for users aud: Audience, the receiving party of jwt exp: Expiration time, Token Expiration time nbf: Not before a Token is not available before a certain time is defined iat: Issued at, token issue time jti: JWT ID token identity to avoid repeated replay attacks

signature

This is a visa information, which consists of three parts:
After base64 encoding of header
After base64 of payload
secret
This part is used by the above header and payload parts. After connection, the encryption algorithm defined by the header head is used to add salt and secret combination encryption.

Demo code

maven

<dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.0</version> </dependency>
public class utils { // Private key private static final String SECRET_KEY = "this is a secret key"; public static void main(String[] args) { // Generate token String jwtToken = Jwts.builder() // head .setHeaderParam("typ", "JWT") // Statement in jwt annotation .setIssuedAt(new Date()) // Time filed .setExpiration(new Date(new Date().getTime() + 10000L))// Expiration time .setSubject("19930311")// jwt for customers .setIssuer("huan")// Issuer of jwt // Public statement and private statement .claim("user_id", "admin") .claim("user_name","liwei") .claim("user_pwd","123456") // visa .signWith(SignatureAlgorithm.HS256, SECRET_KEY.getBytes()) .compact(); System.out.println("Generated jwt token as follows:" + jwtToken); // Verify jwt Jws<Claims> claimsJws = Jwts.parser() // Verify issuer field iss must be huan .require("iss", "huan") // Set private key .setSigningKey(SECRET_KEY.getBytes()) // Parsing jwt strings .parseClaimsJws(jwtToken); // Get header information JwsHeader header = claimsJws.getHeader(); // Obtain load information Claims payload = claimsJws.getBody(); System.out.println("Resolved jwt Of header as follows:" + header.toString()); System.out.println("Resolved jwt Of payload as follows:" + payload.toString()); } }

24 June 2020, 02:18 | Views: 8885

Add new comment

For adding a comment, please log in
or create account

0 comments