JWT認證看這一篇就夠了

原創 架构师修行之路 2020-09-03 11:58
{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基於Token的認證"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過上一篇你大體已經瞭解session和cookie認證了,session認證需要服務端做大量的工作來保證session信息的一致性以及session的存儲,所以現代的web應用在認證的解決方案上更傾向於客戶端方向,cookie認證是基於客戶端方式的,但是cookie缺點也很明顯,到底有哪些缺點可以跳轉上一次的文章。那有沒有一種比較折中的方案呢?有的"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"把認證信息保存在客戶端,關鍵點就是安全的驗證,如果能解決認證信息的安全性問題,完全可以把認證信息保存在客戶端,服務端完全無認證狀態,這樣的話服務端擴展起來要方便很多。關於信息的安全解決方案,現在普遍的做法就是簽名機制,像微信公衆接口的驗證方式就基於簽名機制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簽名,就是隻有信息的發送者才能產生的別人無法僞造的一段數字串,這段數字串同時也是對信息的發送者發送信息真實性的一個有效證明。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當用戶成功登陸系統併成功驗證有效之後,服務器會利用某種機制產生一個token字符串,這個token中可以包含很多信息,例如來源IP,過期時間,用戶信息等, 把這個字符串下發給客戶端,客戶端在之後的每次請求中都攜帶着這個token,攜帶方式其實很自由,無論是cookie方式還是其他方式都可以,但是必須和服務端協商一致纔可以。當然這裏我不推薦cookie。當服務端收到請求,取出token進行驗證(可以驗證來源ip,過期時間等信息),如果合法則允許進行操作。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於token的驗證方式也是現代互聯網普通使用的認證方式,那它有什麼優點嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"支持跨域訪問,Cookie是不允許垮域訪問的,這一點對Token機制是不存在的,前提是傳輸的用戶認證信息通過HTTP頭傳輸."}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"無狀態:Token機制在服務端不需要存儲session信息,因爲Token自身包含了所有登錄用戶的信息,只需要在客戶端的cookie或本地介質存儲狀態信息."}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"解耦 不需要綁定到一個特定的身份驗證方案。Token可以在任何地方生成,只要在你的API被調用的時候,你可以進行Token生成調用即可."}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"適用性更廣:只要是支持http協議的客戶端,就可以使用token認證。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"服務端只需要驗證token的安全,不必再去獲取登錄用戶信息,因爲用戶的登錄信息已經在token信息中。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":6,"align":null,"origin":null},"content":[{"type":"text","text":"基於標準化:你的API可以採用標準化的 JSON Web Token (JWT). 這個標準已經存在多個後端庫(.NET, Ruby, Java,Python,PHP)和多家公司的支持(如:Firebase,Google, Microsoft)."}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那基於token的認證方式有哪些缺點呢?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"網絡傳輸的數據量增大:由於token中存儲了大量的用戶和安全相關的信息,所以比單純的cookie信息要大很多,傳輸過程中需要消耗更多流量,佔用更多帶寬,"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"和所有的客戶端認證方式一樣,如果想要在服務端控制token的註銷有難度,而且也很難解決客戶端的劫持問題。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"由於token信息在服務端增加了一次驗證數據完整性的操作,所以比session的認證方式增加了cpu的開銷。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是整體來看,基於token的認證方式還是比session和cookie方式要有很大優勢。在所知的token認證中,jwt是一種優秀的解決方案"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"link","attrs":{"href":"#jwt","title":null}},{"type":"text","text":"jwt"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JSON Web Token (JWT)是一個開放標準(RFC 7519),它定義了一種緊湊的、自包含的方式,用於作爲JSON對象在各方之間安全地傳輸信息。該信息可以被驗證和信任,因爲它是數字簽名的。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一個JWT實際上就是一個字符串,它由三部分組成,頭部、載荷與簽名。"}]},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"link","attrs":{"href":"#頭部","title":null}},{"type":"text","text":"頭部"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"header典型的由兩部分組成:token的類型(“JWT”)和算法名稱(比如:HMAC SHA256或者RSA等等)。"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"{\n \"alg\": \"HS256\",\n \"typ\": \"JWT\"\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"link","attrs":{"href":"#payload","title":null}},{"type":"text","text":"Payload"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Payload 部分也是一個JSON對象,用來存放實際需要傳遞的數據。JWT 規定了7個官方字段,供選用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"iss (issuer):簽發人\nexp (expiration time):過期時間\nsub (subject):主題\naud (audience):受衆\nnbf (Not Before):生效時間\niat (Issued At):簽發時間\njti (JWT ID):編號\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除了以上字段之外,你完全可以添加自己想要的任何字段,這裏還是提醒一下,由於jwt的標準,信息是不加密的,所以一些敏感信息最好不要添加到json裏面"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"{\n \"Name\":\"菜菜\",\n \"Age\":18\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"link","attrs":{"href":"#signature","title":null}},{"type":"text","text":"Signature"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了得到簽名部分,你必須有編碼過的header、編碼過的payload、一個祕鑰(這個祕鑰只有服務端知道),簽名算法是header中指定的那個,然對它們簽名即可。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"HMACSHA256(base64UrlEncode(header) + \".\" + base64UrlEncode(payload), secret)\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"算出簽名以後,把 Header、Payload、Signature 三個部分拼成一個字符串,每個部分之間用\"點\"(.)分隔,就可以返回給用戶。需要提醒一下:base64是一種編碼方式,並非加密方式。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"link","attrs":{"href":"#寫在最後","title":null}},{"type":"text","text":"寫在最後"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於token的認證方式,大體流程爲:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"客戶端攜帶用戶的登錄憑證(一般爲用戶名密碼)提交請求"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"服務端收到登錄請求,驗證憑證正確性,如果正確則按照協議規定生成token信息,經過簽名並返回給客戶端"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"客戶端收到token信息,可以保存在cookie或者其他地方,以後每次請求的時候都攜帶上token信息"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"業務服務器收到請求,驗證token的正確性,如果正確則進行下一步操作"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/cc/ccaaf4b2c20228b8282579b3ae0fe521.jpeg","alt":"image","title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這裏再重複一次,無論是token認證,cookie認證,還是session認證,一旦別人拿到客戶端的標識,還是可以僞造操作。所以採用任何一種認證方式的時候請考慮加入來源ip或者白名單,過期時間,另外有條件的情況下一定要使用https。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"更多精彩文章"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342955119549267969&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"分佈式大併發系列"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342959003139227648&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"架構設計系列"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342962375443529728&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"趣學算法和數據結構系列"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342964237798391808&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"設計模式系列"}]}]}]}]}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f8/f8af5984765a267892bf1a1272272625.png","alt":"image","title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

界面控件DevExpress VCL v24.1預覽 - 支持RAD Studio 12.1、圖表新功能

DevExpress VCL Controls是Devexpress公司旗下最老牌的用戶界面套包,所包含的控件有:數據錄入、圖表、數據分析、導航、佈局等。該控件能幫助您創建優異的用戶體驗,提供高影響力的業務解決方案,並利用您現有的VCL技能

原創 2024-04-24 11:35:34

「Java開發指南」如何利用MyEclipse啓用Spring DSL?(二)

本教程將引導您通過啓用Spring DSL和使用Service Spring DSL抽象來引導Spring和Spring代碼生成項目,本教程中學習的技能也可以很容易地應用於其他抽象。在本教程中,您將學習如何: 爲Spring DSL初始化

原創 2024-04-24 11:35:31

Google Chrome驅動程序 124.0.6367.62(正式版本)去哪下載?

大家好,我是Python進階者。 一、前言 前幾天在Python白銀交流羣【Jethro Shen】問了一個Python谷歌驅動下載的問題。 二、實現過程 這裏【Kim】和【Crazy】給了一個指導,如上圖所示。說來奇怪,在鏈接中看了沒有

原創 2024-04-24 09:48:52

如何從根本上避免釣魚--安全意識的重要性

一、什麼是網絡釣魚(Phishing) “網絡釣魚 (Phishing)攻擊者利用欺騙性的電子郵件和僞造的 Web 站點來進行網絡詐騙活動,受騙者往往會泄露自己的私人資料,如信用卡號、銀行卡賬戶、身份證號等內容。詐騙者通常會將自己僞裝成網

原創 2024-04-23 23:16:04

【微電平臺】-高併發實戰經驗-奇葩問題解決及流程優化之旅

微電平臺 微電平臺是集電銷、企業微信等於一體的綜合智能SCRM SAAS化系統,涵蓋多渠道管理、全客戶生命週期管理、私域營銷運營等主要功能,承接了京東各業務線服務,專注於爲業務提供職場外包式的一站式客戶管理及一體化私域運營服務。 

原創 2024-04-23 23:16:01

MySQL死鎖排查,原來我一直沒懂。。。

喜大普奔,微信給我的公衆號開了留言功能!!!有緣看到這篇文章的朋友,可以留個言互動下,謝謝~ 最近線上偶發MySQL的死鎖異常,發現原來很多理論都只背了個結論,細節都是魔鬼。 比如,MySQL在RR級別用gap lock防止幻讀,

原創 2024-04-23 23:10:58

沙特2030年願景和對中國IT企業的市場機會分析

沙特2030年願景和對中國IT企業的市場機會分析   前言:最近“開源老DJ,帶你去沙特”欄目第一期已經播出,收到了不錯的反響。見COPU官網的回顧。(https://mp.weixin.qq.com/s/3B0jNVhybxTF1xPiy

原創 2024-04-23 22:24:54

一次Redis訪問超時的“捉蟲”之旅

01    引言 作爲後端開發人員,對Redis肯定不陌生,它是一款基於內存的數據庫,讀寫速度非常快。在愛奇藝海外後端的項目中,我們也廣泛使用Redis,主要用於緩存、消

原創 2024-04-23 13:04:36

Xmake v2.9.1 發佈,新增 native lua 模塊和鴻蒙系統支持

Xmake 是一個基於 Lua 的輕量級跨平臺構建工具。 它非常的輕量,沒有任何依賴,因爲它內置了 Lua 運行時。 它使用 xmake.lua 維護項目構建,相比 makefile/CMakeLists.txt,配置語法更加簡潔直觀,

原創 2024-04-23 12:10:57

日誌架構演進:從集中式到分佈式的Kubernetes日誌策略

當我們沒有使用雲原生方案部署應用時採用的日誌方案往往是 ELK 技術棧。 這套技術方案比較成熟,穩定性也很高,所以幾乎成爲了當時的標配。 可是隨着我們使用 kubernetes 步入雲原生的時代後, kubernetes 把以往的操作系統

原創 2024-04-23 11:47:10

界面組件DevExpress Blazor UI v23.2 - 支持.NET 8、全新的項目模版

DevExpress Blazor UI組件使用了C#爲Blazor Server和Blazor WebAssembly創建高影響力的用戶體驗,這個UI自建庫提供了一套全面的原生Blazor UI組件(包括Pivot Grid、調度程序、圖

原創 2024-04-23 11:34:47

擁抱AI,由GBC開始|2024 CGMA GBC商業精英國際挑戰賽報名開啓

  這裏是智慧與勇氣的較量場 這裏是激情與夢想的交匯點 與同樣熱血的隊友 拓展商業思維 全英文挑戰 商業世界的極限 贏得AI面試體驗 名企實習 豐厚獎金 增強簡歷競爭力  贏得認證榮譽證書

百度開發者中心 2024-04-23 11:29:20

03-爲啥大模型LLM還沒能完全替代你?

1 不具備記憶能力的 它是零狀態的,我們平常在使用一些大模型產品,尤其在使用他們的API的時候,我們會發現那你和它對話,尤其是多輪對話的時候,經過一些輪次後,這些記憶就消失了,因爲它也記不住那麼多。 2 上下文窗口的限制 大模型對其inpu

原創 2024-04-23 01:07:00

MyDumper “喜歡” 觸發器麼?

是的,但現在它更“喜歡”它們,原因如下。 介紹 使用 LIKE 子句過濾特定表中的觸發器或視圖很常見。但是,它可能會欺騙您,特別是如果您看不到輸出(即在非交互式會話中)。讓我們看一個簡單的例子,以及如何以更可靠的方式處理任務。還有一個指向

原創 2024-04-22 23:19:50

網絡安全數字孿生:一種新穎的汽車軟件解決方案

摘要       隨着汽車行業轉變爲數據驅動的業務,軟件在車輛的開發和維護中發揮了核心作用。隨着軟件數量的增加,相應的網絡安全風險、責任和監管也隨之增加,傳統方法變得不再適用於這類任務。相應的結果是整車廠和供應商都在努力應對汽車軟件日益增加

原創 2024-04-22 22:42:12