JSON Web Token(JWT) is a very lightweight specification. This specification allows us to use JWT to transmit safe and reliable information between users and servers.

Applicable scenario

1, which is used to pass some non-sensitive information to Web applications. For example, add friends, place orders and so on.

2. Used to design a user authentication and authorization system.

3. Implement single sign-on for Web applications.

Composition of JWT

JWT is actually a string, which consists of three parts: header, payload and signature.

Sample scenario

When user A pays attention to user B, the system sends an email to user B with a link "Click here to pay attention to user A". Link address: /make-friend/? from _ user = B& amp； target_user=A .

Let user B complete this operation without logging in.

Load (payload)

You can first describe the above operation of adding friends as a JSON object. And add some other information to help the server receiving this JWT understand this JWT.

{

Iss: Wu Jiong ·JWT,

“iat”: 144 1593502,

" exp ":？ 144 1594722,

“aud”:" www.example.com "，

“sub”:“ jrocket@example.com”，

"Sender user":? " B "

"target user":? " A "

}

The first five fields are defined by the JWT standard.

Iss: the publisher of this JWT.

Sub: The users targeted by this JWT.

The party that accepts the JWT prize.

Exp(expires): When will it expire? Here is a Unix timestamp.

Iat (released on): When was it released?

The following string can be obtained through the JSON object above [base64 encoding]. This string is called the payload of JWT.

eyjpc 3 mioijkb 2 huifd 1 iepxvcisimlhdci 6 mtq 0 MTU 5 mzuwmiwizxhwijoxndqxntk 0 nziylcjhwqioij 3d 3 cuzxhbxbszs 5 JB 20 ilcjzdwiioiij QCM 9 ja 2v 0 qgv 4 yw 1 wbguuy 29 tiiwiznjvbv 9 1 C2 vyijoiqiisnrhcmdf 9 10

If you use Node.js, you can use the package base64url of Node.js to get this string.

var base64url =？ Required ('base64url')

var header = {

"Sender user":? " B "

"target user":? " A "

}

console . log(base64 URL(JSON . stringify(header)))

//Output:eyjpc 3 mioijkb 2 huifd 1 iepxvcisimlhdci 6 mtq 0 mt 5 muuwizwijoxndqxntk 0 zilcjhdwqioj 3d 3 cuzzxhbxbszs 5 JB 20 ilcjzdwiioij QCM 9 ja 2v 0 qv4 yw 1 wbgu。 uy 29 tiiwiznjvbv 9 1 C2 vyijoiqiisinrhcmdldf 9 1 C2 vyijoiqsj 9

Tips: Base64 is a kind of coding, which means that it can be translated back to its original appearance. This is not an encryption process.

Title (title)

The header is used to describe the most basic information of JWT, such as its type and the algorithm used for signature. This can also be expressed as a JSON object.

{

“typ”:“JWT”，

" alg ":？ " HS256 "

}

Let me explain here that this is a JWT, and the signature algorithm we use (mentioned later) is HS256 algorithm.

It also needs Base64 encoding, and then the string becomes the header of JWT.

eyj 0 exaioijkv 1 qilcjhbgcioijiuzi 1 nij 9

Signature (signature)

Connect the above two coded strings with a dot (the head is in front), and it is formed.

eyj 0 exaioijkv 1 qilcjhbgcioijuzi 1 nij 9 . eyjmcm 9 tx 3 vzzxiioijciiiwidgfyz 2 v3 vzzxiioijbin 0

Finally, we use HS256 algorithm to encrypt the spliced string. When encrypting, we need to provide a secret. If we use mystar as the key, we can get our encrypted content.

rswamyaywuhco 7 ifag 1 or PSP 7 nzl 7 BF 5t 7 itqpkvim

This part is also called signature.