I recently learned about token-based authentication, and share it with everyone. Token is also used by many large sites, such as Facebook, Twitter, Google+, Github, etc. Token is more scalable and secure than traditional authentication methods, and is ideal for Web or mobile applications. Some people translate the Chinese Token as “Token”, I think it is quite good, meaning that you can pass some levels with this Token.

Reprinted from http://ninghao.net/blog/2834

Traditional authentication methods

HTTP is a stateless protocol, meaning it does not know who is accessing the application. Here we think of the user as a client. The client is authenticated with a username and password, but the next time the client sends a request, it has to be authenticated again.

The solution is that when the user requests login, if there is no problem, we will generate a record on the server, which can explain who the user is, and then send the ID number of this record to the client, and the client will store the ID number in the Cookie after receiving it. The next time the user sends a request to the server, it can take the Cookie with it, so that the server will verify the information in the Cookie and see if it can find the corresponding record in the server. If so, it indicates that the user has passed the authentication, and the data requested by the user will be returned to the client.

We need to store sessions generated for logged-in users on the server. These sessions may be stored in memory, disk, or database. We may need to periodically clean up expired sessions on the server.

Token-based authentication methods

With token-based authentication, there is no need to store a user’s login record on the server. The general process is like this:

  1. The client requests login using the username and password
  2. The server receives a request to verify the user name and password
  3. After the authentication succeeds, the server issues a Token and sends the Token to the client
  4. After receiving the Token, the client can store it, for example, in a Cookie or Local Storage
  5. Each time a client requests resources from the server, it must carry a Token signed by the server
  6. The server receives the request and verifies the Token in the request. If the verification succeeds, it returns the requested data to the client

JWT

There are many ways to implement Token verification. There are also some standard methods, such as JWT. The JWT standard Token has three parts:

  • header
  • payload
  • signature

The dots are separated and both are Base64 encoded, so the real Token looks something like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWl uIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJcCopy the code

Header

Header consists of two parts, one is the Token type and the other is the algorithm used. For example, the following type is JWT and the algorithm used is HS256.

{
  "typ": "JWT",
  "alg": "HS256"
}Copy the code

The above content is encoded in Base64, so it looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9Copy the code

Payload

Payload is the specific content of the Token. Some of these things are standard fields, and you can add other things as you want. Here are the standard fields:

  • Iss: Issuer
  • Sub: Subject
  • Aud: Audience
  • Exp: Expiration time
  • Diagindex.nbf: Not before
  • Iat: Issued at
  • Jit: JWT ID

So for example, Payload, which uses the iss issuer, and exp expiration time. There are also two custom fields, one for name and one for admin.

{
 "iss": "ninghao.net",
 "exp": "1438955445",
 "name": "wanghao",
 "admin": true
}Copy the code

Using Base64 encoding, it looks like this:

eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWluIjp0cnVlfQCopy the code

Signature

The last part of the JWT is the Signature, which consists of three parts. The first part is the Base64 encoded header.payload, and the second part is the encryption algorithm. This password is secretly stored on the server.

  • header
  • payload
  • secret
var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); 
HMACSHA256(encodedString, 'secret');Copy the code

The process will look something like this:

SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJcCopy the code

The last Token generated on the server and sent to the client looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJuaW5naGFvLm5ldCIsImV4cCI6IjE0Mzg5NTU0NDUiLCJuYW1lIjoid2FuZ2hhbyIsImFkbWl uIjp0cnVlfQ.SwyHTEx_RQppr97g4J5lKXtabJecpejuef8AqKYMAJcCopy the code

The client receives the Token and stores it for the next time it sends a request back to the server. The server receives the Token, verifies it, and returns the desired resource to the client.

A link to the