Skip to main content

JWT

https://auth0.com/blog/cookies-vs-tokens-definitive-guide/

强项

  • 快速开发
  • 不需要 Cookie
  • JSON 相对友好
  • 不依赖社交登陆
  • 概念简单易于理解

限制

  • Token 有大小限制
  • Token 不能被回收
  • 需要 Token 有个较短的失效周期
字段全称含义
issIssuer发出者
subSubject一般为用户 id
audAudience接受者
expExpiration time失效时间
nbfNot before在这之前不生效
iatIssued at发出时间
jtiJWT ID
typType类型,由用户扩展

常见算法

示例

{  "iss": "http://example.org",  "aud": "http://example.com",  "iat": 1356999524,  "nbf": 1357000000}
{  "iss": "https://oidc.my.com",  "x5t": "AAAAAAAAAAAAAAAAAAAA"  "typ": "JWT"  "alg": "RS265"}
{  "sub": "wener"  "name": "Wener"  "email": "[email protected]"  "phone_number": "1852159826715"  "aud": "https://otheremail.com"  "iss": "https://oidc.my.com"  "nbf": 1497868409096  "jti": "ANpzy7AyyANx0Cn8WMP5N7bG3E8awOhB"  "exp": 1497868509096  "nbf": 1497868409096}

JWKS#

https://www.googleapis.com/service_accounts/v1/jwk/[email protected]

https://auth0.com/docs/tokens/reference/jwt/jwks-properties

https://sandrino.auth0.com/.well-known/jwks.json https://sandrino.auth0.com/pem

https://docs.hasura.io/1.0/graphql/manual/auth/authentication/jwt.html

{  "keys": [    {      "alg": "RS256",      "kty": "RSA",      "use": "sig",      "n": "",      "e": "AQAB",      "kid": "RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg",      "x5t": "RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg",      "x5c": [        // base64 编码        ""      ]    }  ]}

https://developers.google.com/identity/protocols/OpenIDConnect

{  "keys": [    {      "e": "AQAB",      "kty": "RSA",      "alg": "RS256",      "n": "1Zi0-4bNwZ7gGefz17U2NoKT4xBq-nzAa899teHxB2Q9KVCZYDhbQkpiIrBNg2u8s6TtoSljpq6MJpsKJVJgpT70gDCCgaUsGNYql9-kwWNKd80FlU1sjDEGouUIVEoYHzooPyn9r027KzMnTv5LGRYjxb5lvGnb4UCw5MF_EeSTNpGD7zb0b6juXwBxPi0oIUbQxAcGgH3oS40hXAjJ_U2T3Hln8lBlnVhLbrh-5qF-uoYDxjtAY9XyEJQH_rGiRfXWgBfSM02t9DCB46sQbEMM2iLe7mkGrZtCHR4zbAsAP0s2VGqSmwszNTWqqsdOccbfXp3i_ThkR3pDdTSIQQ",      "use": "sig",      "kid": "57b1928f2f63329f2e92f4f278f94ee1038c923c"    },    {      "e": "AQAB",      "kty": "RSA",      "alg": "RS256",      "n": "rEpSQ8IO8Gauj5AGRbgfwfaxHRMGONuTog4fWKWzZYxdWa76khbynWTAzUJVzw_FaAiZGnl7tlmD7pdKWOHszrcK2Hru87KzeRnnqvWlSqdKValu6x5TfBnJwxgr-L8Mnu4xNnrMG2AWcRkjFVWQmwZyEF3WroRzbxrVTlChD_UydnRuiV1z0BPkLOxTzF5RH21ukImElOm3AFIFXP5h8Z0yLrFEcxzLgDIt7wC68apH7uRmy2-a9D4b4Jwi3HRlAgsYAKXYeEQC3f8Mv03liJBv3CPZU4EyXLQUJA28b8l5NUSDI9tnbrfP8SIXlqLz8mNfuKR18LAU3s9sv-sR3Q",      "use": "sig",      "kid": "47456b8069e4365e517ca5e29757d1a9efa567ba"    }  ]}