JWT

JWT

Tips

https://auth0.com/blog/cookies-vs-tokens-definitive-guide/

强项

  • 快速开发
  • 不需要 Cookie
  • JSON 相对友好
  • 不依赖社交登陆
  • 概念简单易于理解

限制

  • Token 有大小限制
  • Token 不能被回收
  • 需要 Token 有个较短的失效周期
字段全称含义
issIssuer发出者
subSubject一般为用户 id
audAudience接受者
expExpiration time失效时间
nbfNot before在这之前不生效
iatIssued at发出时间
jtiJWT ID
typType类型,由用户扩展

常见算法

  • HMAC + SHA256
  • RSASSA-PKCS1-v1_5 + SHA256
  • ECDSA + P-256 + SHA256
  • RSA vs ECDSA
    • 同等安全度下
      • RSA 更长, 签名验证更快
      • ECDSA 更短, 生成签名和密钥时快得多

示例

{
"iss": "http://example.org",
"aud": "http://example.com",
"iat": 1356999524,
"nbf": 1357000000
}
{
"iss": "https://oidc.my.com",
"x5t": "AAAAAAAAAAAAAAAAAAAA"
"typ": "JWT"
"alg": "RS265"
}
{
"sub": "wener"
"name": "Wener"
"email": "[email protected]"
"phone_number": "1852159826715"
"aud": "https://otheremail.com"
"iss": "https://oidc.my.com"
"nbf": 1497868409096
"jti": "ANpzy7AyyANx0Cn8WMP5N7bG3E8awOhB"
"exp": 1497868509096
"nbf": 1497868409096
}

JWKS

https://www.googleapis.com/service_accounts/v1/jwk/[email protected]

https://auth0.com/docs/tokens/reference/jwt/jwks-properties

https://sandrino.auth0.com/.well-known/jwks.json https://sandrino.auth0.com/pem

https://docs.hasura.io/1.0/graphql/manual/auth/authentication/jwt.html

{
"keys": [
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"n": "",
"e": "AQAB",
"kid": "RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg",
"x5t": "RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg",
"x5c": [
// base64 编码
""
]
}
]
}

https://developers.google.com/identity/protocols/OpenIDConnect

{
"keys": [
{
"e": "AQAB",
"kty": "RSA",
"alg": "RS256",
"n": "1Zi0-4bNwZ7gGefz17U2NoKT4xBq-nzAa899teHxB2Q9KVCZYDhbQkpiIrBNg2u8s6TtoSljpq6MJpsKJVJgpT70gDCCgaUsGNYql9-kwWNKd80FlU1sjDEGouUIVEoYHzooPyn9r027KzMnTv5LGRYjxb5lvGnb4UCw5MF_EeSTNpGD7zb0b6juXwBxPi0oIUbQxAcGgH3oS40hXAjJ_U2T3Hln8lBlnVhLbrh-5qF-uoYDxjtAY9XyEJQH_rGiRfXWgBfSM02t9DCB46sQbEMM2iLe7mkGrZtCHR4zbAsAP0s2VGqSmwszNTWqqsdOccbfXp3i_ThkR3pDdTSIQQ",
"use": "sig",
"kid": "57b1928f2f63329f2e92f4f278f94ee1038c923c"
},
{
"e": "AQAB",
"kty": "RSA",
"alg": "RS256",
"n": "rEpSQ8IO8Gauj5AGRbgfwfaxHRMGONuTog4fWKWzZYxdWa76khbynWTAzUJVzw_FaAiZGnl7tlmD7pdKWOHszrcK2Hru87KzeRnnqvWlSqdKValu6x5TfBnJwxgr-L8Mnu4xNnrMG2AWcRkjFVWQmwZyEF3WroRzbxrVTlChD_UydnRuiV1z0BPkLOxTzF5RH21ukImElOm3AFIFXP5h8Z0yLrFEcxzLgDIt7wC68apH7uRmy2-a9D4b4Jwi3HRlAgsYAKXYeEQC3f8Mv03liJBv3CPZU4EyXLQUJA28b8l5NUSDI9tnbrfP8SIXlqLz8mNfuKR18LAU3s9sv-sR3Q",
"use": "sig",
"kid": "47456b8069e4365e517ca5e29757d1a9efa567ba"
}
]
}