This article quotes part of feng Yu’s article “JWT technology to solve the authentication pain point of IM system”, instant messenger network is reorganized, supplemented and revised, thanks for the original author’s selfless sharing.


1, the introduction





2. Original author







Yu:






Feng Yu also shares other technical practices and summaries in IM, which you may also be interested in:





  • “Build Guazi Used Car IM System from scratch (PPT)”
  • Sharing of mobile TERMINAL IM Architecture Design Practice of a Set of Massive Online Users (with detailed pictures and texts)
  • Discussion on a Low-cost Method to Ensure IM Message timing
  • How to Ensure the Efficiency and real-time performance of Mass Group Message Push in MOBILE TERMINAL IM?


3. Series of articles



This article is the seventh in a series of articles on IM communication security.





  • Instant Messaging Security part 1: Understanding and Using Android Encryption Algorithms correctly
  • Instant Messaging Security part 2: Exploring the Application of Combined Encryption Algorithms in IM
  • Instant Messaging Security part 3: Introduction to Common Encryption and Decryption Algorithms and Communication Security
  • Instant Messaging Security part 4: A Case Study of the Risks of Hard-coding Keys in Android
  • Instant Messaging Security part 5: Application practice of Symmetric Encryption technology on Android
  • Instant Messaging Security part 6: Principles and Practices of Asymmetric Encryption
  • “Instant Messaging Security (7) : Using JWT Technology to Solve IM System Socket Long Connection Identity Authentication Pain Point” (this article)


4. Technical pain points we face



Understand the principle of the front HTTP SSO single sign-on interface






Our IM long connection channel also uses this system for security authentication, and its structure is shown as follows:










As shown in the figure above, the whole authentication steps are as follows:





  • 1) The user logs in to the App, and the App gets the token issued by SSO from the business background;
  • 2) When the App needs to use IM function, send the token to THE SDK of IM client;
  • 3) Token is used for authentication when the client SDK establishes a long connection with IM Server;
  • 4) THE IM Server requests the SSO SSO system to verify the token validity.



* added:
Understand the principle of the front HTTP SSO single sign-on interface












Why is the above process structure not good for mobile IM? Here’s why:





  • 1) Unstable network: The network of the mobile phone (mobile terminal) is very unstable, the network may be disconnected when entering or leaving the subway, or the base station may be changed if the location is moved;
  • 2) Long connections are frequently established and released: Because of the reason in 1), long connections are frequently re-established during a chat session, so step 3 in the figure above is frequently executed, and thus step 4 is also frequently executed;
  • 3) System pressure will increase: given the performance in 2), it will greatly increase the pressure on SSO SSO system (because IM instances need to call SSO system frequently, so as to fully check the identity validity of client long connection);
  • 4) User experience is also bad: In the long connection establishment process, the SSO single sign-on system is not within the scope of IM server instance, and the communication between IM server instance and SSO system, etc., brings additional communication link delay, which is also harmful to user experience (and the SSO system may be temporarily off).









* Digression:





  • Summary of Optimization Methods for Short Connections in Modern Mobile Networks: Request Speed, Weak Network Adaptation, and Security Guarantee
  • Mobile IM Developers must Read (1) : Easy to Understand the “weak” and “Slow” mobile Web
  • Mobile IM Developers must Read (ii) : Summary of the Most Complete Mobile Weak Network Optimization Methods ever


5. Fully understand what JWT technology is


5.1 Basic Knowledge



RFC7519






What does a complete JWT token string look like?













As shown in the figure above, a JWT token string consists of the following:





  • 1) Header in red: Specifies the token type and signature type.
  • 2) Purple is the load (playload) : store user ID and other key information;
  • 3) The blue one is the signature: to ensure the integrity and reliability of the whole information (this signature string is equivalent to a paragraph of encrypted ciphertext, and security is determined by it).


5.2 Decrypting JWT Headers (Header)









This can be represented as a JSON object:


{

  “typ”: “JWT”,

  “alg”: “HS256”

}











eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9



Tool.oschina.net/encrypt?typ…





5.3 Decrypting JWT PlayLoads



In playloads you can define the following properties:





  • 1) ISS: the issuer of the JWT;
  • 2) sub: the user for which the JWT is targeted;
  • 3) AUD: the party receiving the JWT;
  • 4) EXP (Expires): When expires, here is a Unix timestamp;
  • 5) IAT: When was it issued?









This string is called the Payload of JWT. The following sample string is the one you saw in purple in Section 5.1:


eyJpc3MiOiIyOWZmMDE5OGJlOGM0YzNlYTZlZTA4YjE1MGRhNTU0NC1XRUIiLCJleHAiOjE1MjI0OTE5MTV9



Tool.oschina.net/encrypt?typ…





5.4 Resolving JWT Signatures



JWT’s signature section, inThe official documentationIs described as follows:


HMACSHA256(

  base64UrlEncode(header) + “.” +

  base64UrlEncode(payload),

  secret)



The meaning of the above pseudo-code is as follows:


eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIyOWZmMDE5OGJlOGM0YzNlYTZlZTA4YjE1MGRhNTU0NC1XRUIiLCJleHAiOjE1MjI0OTE5MTV 9



.












So, according toRFC7519With the method described above, we can get our encrypted content:


P-k-vIzxElzyzFbzR4tUxAAET8xT9EP49b7hpcPazd0








5.5 Purpose of Signature









In general:






In other words:






When using:











5.6 A typical JWT application process



What is the JWT process? First, the picture of the official document:










As shown in the figure above, the entire application process is described as follows:





  • 1) The client uses the account password to request the login interface;
  • 2) After successful login, the server generates JWT using the signing key, and then returns the JWT to the client;
  • 3) When the client requests other interfaces from the server again, bring JWT;
  • 4) The server verifies the validity of the signature after receiving the JWT. Respond to the client accordingly.


5.7 In summary

























High-performance Message Push for iOS Based on APNs latest HTTP/2 Interface







Apple official developer documentation


6. How do we use JWT technology?









We use JWT to verify IM Socket long connection flow as follows:










As shown in the figure above, the whole verification process is described as follows:





  • 1) The user logs in to the App (using THE IM client SDK), and the App gets the token issued by the SSO SSO system from the business background (note: this token is not a JWT token, it will be used in step 3 to generate a real JWT token);
  • 2) When the App needs to use the IM function, the token is passed to the IM client SDK (this is done on the client, that is, when the App’s function calls the IM client SDK);
  • 3) THE IM client SDK sends the user name and the token obtained in step 2 to the JWT Server (the module that issues the JWT token) in the background to request the JWT token;
  • 4) After receiving the token submitted in step 3, JWT Server will submit the token to SSO system to verify the validity of the token through RPC and other technologies. If the token is valid, Secret will be used as agreed with IM Server (you can understand that it is just a fixed password). The JWT token is issued as required by the business and is ultimately returned to the IM customer service SDK (completing the request in Step 3).
  • 5) After the thread, IM client SDK will use the JWT token obtained to request IM Server to verify the long connection, and IM Server will use the agreed algorithm (directly using JWT rules without relying on other systems, Add Secret (agreed with JWT Server in step 4) to complete jWTToken validity verification.





7. Disadvantages of JWT technology









Disadvantages of JWT technology and suggested solutions mainly include:





  • 1) The biggest disadvantage of JWT is that the server does not store session state, so it is not possible to cancel tokens or change their permissions during use. That is, once JWT is issued, it will remain valid for the duration of validity;
  • 2) THE JWT itself contains authentication information (i.e., header information, payload information that you saw in Section 5.1), so anyone can gain full access to the token once the information is compromised. To reduce theft, the JWT validity period should not be set too long. For some important operations, users should authenticate each time they use it;
  • 3) In order to reduce theft and theft, JWT does not recommend using the HTTP protocol for code transfer, but using the encrypted HTTPS (SSL) protocol for transfer.






www.jianshu.com/p/af8360b83…


8 and comment









The HTTPS protocol





















Instant messaging security (3) : common encryption and decryption algorithms and communication security



Instant Messaging Security part 6: Asymmetric encryption principles and practices


Appendix: More articles on instant messaging



If you are a beginner in IM development, it is strongly recommended to read:



Just one entry for beginners: Developing mobile IM from scratch






Here are some of the articles on im security:



Instant messaging Security part 1: Understand and use the Android encryption algorithm correctly



Instant messaging security (2) : discuss the application of combined encryption algorithm in IM



Instant messaging security (3) : common encryption and decryption algorithms and communication security



Instant Messaging Security part 4: Example analysis of key hardcoding risks in Android



Instant messaging security (5) : Symmetric encryption technology in the Android platform application practice



Instant Messaging Security part 6: Asymmetric encryption principles and practices



Instant messaging security (seven) : using JWT technology to solve the IM system Socket long connection identity authentication pain point



Introduction and Demo of Java platform implementation of transport layer security protocol SSL/TLS



Theory and Practice: A Typical DESIGN of IM Communication Protocol (including security Layer design)



Wechat new generation communication security solution: MMTLS based on TLS1.3



From Ali OpenIM: Technical practice sharing for building secure and reliable INSTANT messaging service



This section describes the working principles of end-to-end encryption (E2EE) in real-time audio and video chat



Mobile terminal security communication weapon — end-to-end encryption (E2EE) technology details



Instant Messaging Security on the Web: Cross-site WebSocket hijacking (with sample code)



Easy to understand: a master of instant messaging message transmission security principles



Understand cookies, sessions, and tokens in HTTP short connections



Fast understanding of quantum communication and quantum encryption technology



Instant messaging security (7) : If you want to understand HTTPS in this way, one article is enough



What problem does HTTPS solve in a minute



More of the same…