JWT认证看这一篇就够了

原創 架构师修行之路 2020-09-03 11:58
{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"基于Token的认证"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通过上一篇你大体已经了解session和cookie认证了,session认证需要服务端做大量的工作来保证session信息的一致性以及session的存储,所以现代的web应用在认证的解决方案上更倾向于客户端方向,cookie认证是基于客户端方式的,但是cookie缺点也很明显,到底有哪些缺点可以跳转上一次的文章。那有没有一种比较折中的方案呢?有的"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"把认证信息保存在客户端,关键点就是安全的验证,如果能解决认证信息的安全性问题,完全可以把认证信息保存在客户端,服务端完全无认证状态,这样的话服务端扩展起来要方便很多。关于信息的安全解决方案,现在普遍的做法就是签名机制,像微信公众接口的验证方式就基于签名机制。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"签名,就是只有信息的发送者才能产生的别人无法伪造的一段数字串,这段数字串同时也是对信息的发送者发送信息真实性的一个有效证明。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"当用户成功登陆系统并成功验证有效之后,服务器会利用某种机制产生一个token字符串,这个token中可以包含很多信息,例如来源IP,过期时间,用户信息等, 把这个字符串下发给客户端,客户端在之后的每次请求中都携带着这个token,携带方式其实很自由,无论是cookie方式还是其他方式都可以,但是必须和服务端协商一致才可以。当然这里我不推荐cookie。当服务端收到请求,取出token进行验证(可以验证来源ip,过期时间等信息),如果合法则允许进行操作。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基于token的验证方式也是现代互联网普通使用的认证方式,那它有什么优点吗?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"支持跨域访问,Cookie是不允许垮域访问的,这一点对Token机制是不存在的,前提是传输的用户认证信息通过HTTP头传输."}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"无状态:Token机制在服务端不需要存储session信息,因为Token自身包含了所有登录用户的信息,只需要在客户端的cookie或本地介质存储状态信息."}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"解耦 不需要绑定到一个特定的身份验证方案。Token可以在任何地方生成,只要在你的API被调用的时候,你可以进行Token生成调用即可."}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"适用性更广:只要是支持http协议的客户端,就可以使用token认证。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"服务端只需要验证token的安全,不必再去获取登录用户信息,因为用户的登录信息已经在token信息中。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":6,"align":null,"origin":null},"content":[{"type":"text","text":"基于标准化:你的API可以采用标准化的 JSON Web Token (JWT). 这个标准已经存在多个后端库(.NET, Ruby, Java,Python,PHP)和多家公司的支持(如:Firebase,Google, Microsoft)."}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那基于token的认证方式有哪些缺点呢?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"网络传输的数据量增大:由于token中存储了大量的用户和安全相关的信息,所以比单纯的cookie信息要大很多,传输过程中需要消耗更多流量,占用更多带宽,"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"和所有的客户端认证方式一样,如果想要在服务端控制token的注销有难度,而且也很难解决客户端的劫持问题。"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"由于token信息在服务端增加了一次验证数据完整性的操作,所以比session的认证方式增加了cpu的开销。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是整体来看,基于token的认证方式还是比session和cookie方式要有很大优势。在所知的token认证中,jwt是一种优秀的解决方案"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"link","attrs":{"href":"#jwt","title":null}},{"type":"text","text":"jwt"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"JSON Web Token (JWT)是一个开放标准(RFC 7519),它定义了一种紧凑的、自包含的方式,用于作为JSON对象在各方之间安全地传输信息。该信息可以被验证和信任,因为它是数字签名的。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一个JWT实际上就是一个字符串,它由三部分组成,头部、载荷与签名。"}]},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"link","attrs":{"href":"#头部","title":null}},{"type":"text","text":"头部"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"header典型的由两部分组成:token的类型(“JWT”)和算法名称(比如:HMAC SHA256或者RSA等等)。"}]},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"{\n \"alg\": \"HS256\",\n \"typ\": \"JWT\"\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"link","attrs":{"href":"#payload","title":null}},{"type":"text","text":"Payload"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Payload 部分也是一个JSON对象,用来存放实际需要传递的数据。JWT 规定了7个官方字段,供选用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"iss (issuer):签发人\nexp (expiration time):过期时间\nsub (subject):主题\naud (audience):受众\nnbf (Not Before):生效时间\niat (Issued At):签发时间\njti (JWT ID):编号\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除了以上字段之外,你完全可以添加自己想要的任何字段,这里还是提醒一下,由于jwt的标准,信息是不加密的,所以一些敏感信息最好不要添加到json里面"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"{\n \"Name\":\"菜菜\",\n \"Age\":18\n}\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"link","attrs":{"href":"#signature","title":null}},{"type":"text","text":"Signature"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"为了得到签名部分,你必须有编码过的header、编码过的payload、一个秘钥(这个秘钥只有服务端知道),签名算法是header中指定的那个,然对它们签名即可。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":null},"content":[{"type":"text","text":"HMACSHA256(base64UrlEncode(header) + \".\" + base64UrlEncode(payload), secret)\n"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"算出签名以后,把 Header、Payload、Signature 三个部分拼成一个字符串,每个部分之间用\"点\"(.)分隔,就可以返回给用户。需要提醒一下:base64是一种编码方式,并非加密方式。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"link","attrs":{"href":"#写在最后","title":null}},{"type":"text","text":"写在最后"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基于token的认证方式,大体流程为:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"客户端携带用户的登录凭证(一般为用户名密码)提交请求"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"服务端收到登录请求,验证凭证正确性,如果正确则按照协议规定生成token信息,经过签名并返回给客户端"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"客户端收到token信息,可以保存在cookie或者其他地方,以后每次请求的时候都携带上token信息"}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"业务服务器收到请求,验证token的正确性,如果正确则进行下一步操作"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/cc/ccaaf4b2c20228b8282579b3ae0fe521.jpeg","alt":"image","title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这里再重复一次,无论是token认证,cookie认证,还是session认证,一旦别人拿到客户端的标识,还是可以伪造操作。所以采用任何一种认证方式的时候请考虑加入来源ip或者白名单,过期时间,另外有条件的情况下一定要使用https。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"更多精彩文章"}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342955119549267969&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"分布式大并发系列"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342959003139227648&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"架构设计系列"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342962375443529728&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"趣学算法和数据结构系列"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/mp/appmsgalbum?action=getalbum&album_id=1342964237798391808&__biz=MzIwNTc3OTAxOA==#wechat_redirect","title":null},"content":[{"type":"text","text":"设计模式系列"}]}]}]}]}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f8/f8af5984765a267892bf1a1272272625.png","alt":"image","title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Java集合中的Map

Map是用於保存具有映射關係的數據集合,它具有雙列存儲的特點,即一次必須添加兩個元素,即一組鍵值對<Key,Value>,其中Key的值不可重複(當Key的值重複的時候,後面插入的對象會將之前插入的具有相同的Key值的對象覆蓋掉),Valu

原創 2024-05-06 11:34:11

lightdb 单机模式下数据库平移

前言 lightdb數據庫使用一段時間之後,希望在其他服務器重新部署一套, 但是要求數據可以平滑遷移到新的數據庫上面去,可以參考本文章進行操作 步驟 1. 數據庫安裝 在新的服務器安裝數據庫,具體安裝步驟可以參考:https://w

原創 2024-05-05 21:55:24

欧洲英国德国法国TikTok与YouTube海外网红达人的完美合作策略

【本篇由言同數字科技有限公司原創】在當今數字營銷時代,TikTok已成爲一種受歡迎的社交媒體平臺,尤其在年輕人中頗具影響力。而其中的直播帶貨更是吸引了衆多品牌的注意,成爲推廣產品和增加銷售的重要途徑。下面言同數字將針對海外TikTok網紅直

原創 2024-05-03 22:36:01

ollama使用

ollama 僅支持。gguf的格式    其他格式需要llama.cpp 轉換 curl https://ollama.ai/install.sh | sh ollama --version ollama pull llama2-chin

原創 2024-05-01 00:42:55

「Qt Widget中文示例指南」如何实现一个快捷编辑器(一)

Qt 是目前最先進、最完整的跨平臺C++開發工具。它不僅完全實現了一次編寫,所有平臺無差別運行,更提供了幾乎所有開發過程中需要用到的工具。如今,Qt已被運用於超過70個行業、數千家企業,支持數百萬設備及應用。 快捷編輯器示例展示瞭如何創建一

原創 2024-04-30 23:36:29

解锁HDC 2024之旅:从购票到报名,全程攻略

本文分享自華爲雲社區《解鎖HDC 2024之旅:從購票到報名,全程攻略》,作者:華爲雲社區精選。 Hi,代碼界的小夥伴們,集結號已經吹響了!華爲開發者大會(HDC 2024)——這場匯聚了HarmonyOS NEXT鴻蒙星河版、盤古大模型5

原創 2024-04-30 22:34:35

银行核心背后的落地工程体系丨Oracle - TiDB 数据迁移详解

本文作者: 張顯華,孟凡輝,莊培培 系列導讀:徐戟(白鱔)數據庫技術專家,Oracle ACE,PostgreSQL ACE Director 當前,國內大量的關鍵行業的核心繫統正在實現國產化替代,而與此同時,這些行業的數字化轉型也正在進入

原創 2024-04-30 22:24:59

30 秒出服装设计稿,森马用函数计算+AIGC 整“新活”!

創新項目如何去賦能我們的業務,這件事情在森馬很重要。阿里雲函數計算幫我們屏蔽掉了想把AI落地到實際業務場景中 GPU 算力資源儲備、採購成本、技術門檻等很多難題,從而迅速做出決策,快人一步站在正確的起點,體驗新技術對整個服裝爆款設計、營銷

原創 2024-04-30 21:12:14

消金公司2023财报解析:息差维持高位,信用成本攀升

來源 | 鐳射財經(leishecaijing) 2023年,是持牌消金行業承上啓下的關鍵一年,也是鍛造韌性、比拼內功最緊張的一年。 一方面,住戶短期消費貸款餘額在2022年觸底後,伴隨經濟復甦、消費提振,於2023年重新回到上行軌道。短

原創 2024-04-30 13:11:32

Linux下制作Nginx绿色免安装包

前言 linux下安裝nginx比較繁瑣,遇到內網部署環境更是麻煩,所以研究了下nginx綠色免安裝版的部署包製作,開箱即用,特此記錄分享,一下操作在centos8環境下安裝,如果需要其他內核系統的安裝(Debian/Ubuntu等),請在

原創 2024-04-29 21:38:23

数字化转型新篇章:企业通往智能化的新范式

早在十多年前,一些具有前瞻視野的企業以實現“數字化”爲目標啓動轉型實踐。但時至今日,可以說尚無幾家企業能夠在真正意義上實現“數字化”。 在實現“數字化”的征途上,人們發現,努力愈進,彷彿終點愈遠。究其原因,還在於轉型一直落後於技術邊界的拓展

原創 2024-04-29 21:22:20

MindSpore强化学习:使用PPO配合环境HalfCheetah-v2进行训练

本文分享自華爲雲社區《MindSpore強化學習:使用PPO配合環境HalfCheetah-v2進行訓練》,作者: irrational。 半獵豹(Half Cheetah)是一個基於MuJoCo的強化學習環境,由P. Wawrzyński

原創 2024-04-29 10:33:13

图片旋转后保存到数据库

 1、圖片通過canvas繪製 2、canvas旋轉 3、canvas 轉成blob 在實例化成文件 4、創建formData裏面append放入文件和其他的參數,再調上傳接口 <div style=" heig

原創 2024-04-29 10:16:22

记一次北京某大学逻辑漏洞挖掘

0x01 信息收集 個人覺得教育src的漏洞挖掘就不需要找真實IP了,我們直接進入正題,收集某大學的子域名,可以用oneforall,這裏給大家推薦一個在線查詢子域名的網站:https://www.virustotal.com/ 收集到的子

原創 2024-04-28 22:47:25

1 名工程师轻松管理 20 个工作流,创业企业用 Serverless 让数据处理流程提效

作者:嶽洋、陳德全、劉靜娜 北京語勢科技有限公司成立於 2023 年 6 月,語勢科技定位爲“智能投資時代的主題入口”,在資管行業從以機構爲核心轉向以用戶爲核心的變革時代,通過打造主題投資引擎,賦能普惠投資一體化,打造以投資者和資管機構爲主

原創 2024-04-28 21:12:22