Current location - Quotes Website - Signature design - OAuth2.0-JWT token
OAuth2.0-JWT token
Through the test of Spring Cloud Security OAuth2, we found that when the resource service and the authorization service are not together, the resource service uses RemotetokenServices to remotely request the authorization service Tan Zheng token, which will affect the performance of the system if the traffic is large.

In order to solve the above problems, JWT format can be adopted. After the user passes the authentication, he will get a JWT token, which already contains the information related to the user. The client only needs to take JWT to access the resource service, and the resource service will complete the token verification by itself according to the pre-agreed algorithm, without requesting the authentication service to complete the verification every time.

1. What is JWT?

Json Web Token(JWT) is an open industry standard (RFC 75 19), which defines a simple and independent protocol format for transmitting Json objects between communication parties. Digital signature can verify and trust the transmitted information. JWT can use HMAC algorithm or RSA's public/private key pair to sign to prevent tampering.

JWT official website and JWT standard

Advantages of JWT token:

1)jwt is based on json, which is very convenient to parse.

2) Rich content can be customized in the token, which is easy to expand.

3) Through asymmetric encryption algorithm and digital signature technology, JWT can prevent tampering and has high security.

4) Resource services can complete authentication authorization by using JWT, without relying on authentication services.

Disadvantages of JWT tokens:

1)JWT token is long and takes up a lot of storage space.

2.JWT token structure

By learning the structure of JWT token, we can lay a good foundation for customizing JWT token.

JWT token consists of three parts (header, payload and signature), and each part consists of a dot (.). For example, xxxx. yyyy . zzzz(eyjhbgcioijuzi 1 nisin r5 ccci 6 ikpxvcj 9。 eyjzdwiiioixmjm 0 nty 3 odkwiiwibmftzsi 6 ikpvag 4g rg 9 liiwiawf 0 iox NTE 2 JM 5 mdiyfq。 cthiiodvwdueqb 468 k5xdc 5633 seefoqxjf _

1) title

The header includes the type of token (namely JWT) and the hash algorithm used (such as HMACSHA256 or RSA), and the contents of the header are as follows:

2) Payload

The second part is loading, and the content is also json object, which is the place to store effective information. It can store ready-made fields provided by jwt, such as iss (Issuer), exp (Expiration Timestamp), sub (User Oriented) and so on. , you can also customize the fields. It is not recommended to store sensitive information in this part, because this part can decode and restore the original content. Encode the second part of the payload with Base64Url to get a string, which is the second part of the JWT token.

3) signature

The third part is signature, which is used to prevent jwt content from being tampered with. This part uses Base64Url to encode the first two parts, and then uses dot (. ) to form a string, and finally sign it with the signature algorithm declared in the header.

Base 64 urlencode (header): jwt): the first part header of the jwt token.

Base64 urlencode (payload): jwt): the second part of the jwt token.

Your-256-bit-secret: the key used for signing.

Configuring jwt token service in UAA can realize the generation of jwt token.

1, token configuration

2. Define JWT token service authorization server.

Resource services need to have consistent signatures, token services, etc. Use authorized services:

1. copy the TokenConfig class from the authorization service to the resource service project.

2. Shield the original token service class in the resource service, and no longer use HTTP to call the authorization service to verify the JWT token.