What is JWT? A brief understanding of JWT-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

What is JWT? A brief understanding of JWT

不言

Oct 10, 2018 pm 05:09 PM

jwtphp

This article brings you what is JWT? A simple understanding of JWT has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

I have never taken a good look at jwt until I had to do web verification two days ago. A friend recommended jwt to me. Only then did I discover that jwt has been widely used by everyone. It seems I'm a little out. Haha, take advantage of the world to take a good look at this.

JWT (JSON Web Token), as the name suggests, is a token that can be transmitted on the Web. This token is formatted in JSON format. It is an open source standard (RFC 7519) that defines a compact, self-contained way to securely transmit information in JSON format between different entities.

Since many projects now have front-end and back-end separation, restful api mode. Therefore, the traditional session mode cannot meet the authentication requirements. At this time, the role of jwt comes. It can be said that restful api authentication is a good application scenario of jwt.

The following is a small demo

<?php
require_once &#39;src/JWT.php&#39;;
header(&#39;Content-type:application/json&#39;);
//定义Key
const KEY = &#39;dasjdkashdwqe1213dsfsn;p&#39;;

$user = [
    &#39;uid&#39;=>&#39;dadsa-12312-vsd1s1-fsds&#39;,
    &#39;account&#39;=>&#39;daisc&#39;,
    &#39;password&#39;=>&#39;123456&#39;
];
$redis = redis();
$action  =  $_GET[&#39;action&#39;];
switch ($action)
{
    case &#39;login&#39;:
        login();
        break;
    case &#39;info&#39;:
        info();
        break;

}
//登陆，写入验证token
function login()
{
    global  $user;
    $account = $_GET[&#39;account&#39;];
    $pwd = $_GET[&#39;password&#39;];
    $res = [];
    if($account==$user[&#39;account&#39;]&&$pwd==$user[&#39;password&#39;])
    {
        unset($user[&#39;password&#39;]);
        $time = time();
        $token = [
            &#39;iss&#39;=>&#39;http://test.cc&#39;,//签发者
            &#39;iat&#39;=>$time,
            &#39;exp&#39;=>$time+60,
            &#39;data&#39;=>$user
        ];
        $jwt = \Firebase\JWT\JWT::encode($token,KEY);
        $res[&#39;code&#39;] = 200;
        $res[&#39;message&#39;] = &#39;登录成功&#39;;
        $res[&#39;jwt&#39;] = $jwt;

    }
    else
    {
        $res[&#39;message&#39;]= &#39;用户名或密码错误&#39;;
        $res[&#39;code&#39;] = 401;
    }
    exit(json_encode($res));
}





function info()
{
   $jwt = $_SERVER[&#39;HTTP_AUTHORIZATION&#39;] ?? false;
   $res[&#39;code&#39;] = 200;
   if($jwt)
   {
        $jwt = str_replace(&#39;Bearer &#39;,&#39;&#39;,$jwt);
        if(empty($jwt))
        {
            $res[&#39;code&#39;] = 401;
            $res[&#39;msg&#39;] = &#39;You do not have permission to access.&#39;;
            exit(json_encode($res));
        }
        try{
            $token = (array) \Firebase\JWT\JWT::decode($jwt,KEY, [&#39;HS256&#39;]);
            if($token[&#39;exp&#39;]<time())
            {
                $res[&#39;code&#39;] = 401;
                $res[&#39;msg&#39;] = &#39;登录超时，请重新登录&#39;;
            }
            $res[&#39;data&#39;]= $token[&#39;data&#39;];
        }catch (\Exception $E)
        {
            $res[&#39;code&#39;] = 401;
            $res[&#39;msg&#39;] = &#39;登录超时，请重新登录.&#39;;
        }
   }
   else
   {
       $res[&#39;code&#39;] = 401;
       $res[&#39;msg&#39;] = &#39;You do not have permission to access.&#39;;
   }
    exit(json_encode($res));
}



//连接redis
function redis()
{
    $redis = new  Redis();
    $redis->connect(&#39;127.0.0.1&#39;);
    return $redis;
}

This dmeo uses jwt to perform a simple authentication. A php-jwt encryption package is used. https://github.com/firebase/php-jwt

where KEY is the defined private key, which is the sign part in jwt. This must be saved.
The header part of the php-jwt package has been completed for us. The encryption code is as follows

    */
    public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $head = null)
    {
        $header = array('typ' => 'JWT', 'alg' => $alg);
        if ($keyId !== null) {
            $header['kid'] = $keyId;
        }
        if ( isset($head) && is_array($head) ) {
            $header = array_merge($head, $header);
        }
        $segments = array();
        $segments[] = static::urlsafeB64Encode(static::jsonEncode($header));
        $segments[] = static::urlsafeB64Encode(static::jsonEncode($payload));
        $signing_input = implode('.', $segments);

        $signature = static::sign($signing_input, $key, $alg);
        $segments[] = static::urlsafeB64Encode($signature);

        return implode('.', $segments);
    }

It can be seen that the default encryption method is HS256. This is also the reason why jwt is safe. At this stage, HS256 encryption is still very secure.
This package also supports certificate encryption.

This package has completed the encryption and decryption process for us. So we only need to define the poyload part in jwt. That is the token part in the demo. If the encryption is successful, an encrypted JWT string will be obtained. The front end needs to carry this JWT string as authentication next time when requesting the API.
Add Authorization in the header. During server-side verification, this value is obtained to verify the validity of the reply.

The following are some common configurations of poyload

 $token   = [
            #非必须。issuer 请求实体，可以是发起请求的用户的信息，也可是jwt的签发者。
            "iss"       => "http://example.org",
            #非必须。issued at。 token创建时间，unix时间戳格式
            "iat"       => $_SERVER['REQUEST_TIME'],
            #非必须。expire 指定token的生命周期。unix时间戳格式
            "exp"       => $_SERVER['REQUEST_TIME'] + 7200,
            #非必须。接收该JWT的一方。
            "aud"       => "http://example.com",
            #非必须。该JWT所面向的用户
            "sub"       => "jrocket@example.com",
            # 非必须。not before。如果当前时间在nbf里的时间之前，则Token不被接受；一般都会留一些余地，比如几分钟。
            "nbf"       => 1357000000,
            # 非必须。JWT ID。针对当前token的唯一标识
            "jti"       => '222we',
            # 自定义字段
            "GivenName" => "Jonny",
            # 自定义字段
            "name"   => "Rocket",
            # 自定义字段
            "Email"     => "jrocket@example.com",
         
        ];

The configurations contained in it can be configured freely, or you can add some others by yourself. These are commonly used by everyone on the Internet, and it can be said to be a kind of agreement.

The above is the detailed content of What is JWT? A brief understanding of JWT. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:segmentfault思否. If there is any infringement, please contact admin@php.cn delete

How to make PHP applications fasterMay 12, 2025 am 12:12 AM

TomakePHPapplicationsfaster,followthesesteps:1)UseOpcodeCachinglikeOPcachetostoreprecompiledscriptbytecode.2)MinimizeDatabaseQueriesbyusingquerycachingandefficientindexing.3)LeveragePHP7 Featuresforbettercodeefficiency.4)ImplementCachingStrategiessuc

PHP Performance Optimization Checklist: Improve Speed NowMay 12, 2025 am 12:07 AM

ToimprovePHPapplicationspeed,followthesesteps:1)EnableopcodecachingwithAPCutoreducescriptexecutiontime.2)ImplementdatabasequerycachingusingPDOtominimizedatabasehits.3)UseHTTP/2tomultiplexrequestsandreduceconnectionoverhead.4)Limitsessionusagebyclosin

PHP Dependency Injection: Improve Code TestabilityMay 12, 2025 am 12:03 AM

Dependency injection (DI) significantly improves the testability of PHP code by explicitly transitive dependencies. 1) DI decoupling classes and specific implementations make testing and maintenance more flexible. 2) Among the three types, the constructor injects explicit expression dependencies to keep the state consistent. 3) Use DI containers to manage complex dependencies to improve code quality and development efficiency.

PHP Performance Optimization: Database Query OptimizationMay 12, 2025 am 12:02 AM

DatabasequeryoptimizationinPHPinvolvesseveralstrategiestoenhanceperformance.1)Selectonlynecessarycolumnstoreducedatatransfer.2)Useindexingtospeedupdataretrieval.3)Implementquerycachingtostoreresultsoffrequentqueries.4)Utilizepreparedstatementsforeffi

Simple Guide: Sending Email with PHP ScriptMay 12, 2025 am 12:02 AM

PHPisusedforsendingemailsduetoitsbuilt-inmail()functionandsupportivelibrarieslikePHPMailerandSwiftMailer.1)Usethemail()functionforbasicemails,butithaslimitations.2)EmployPHPMailerforadvancedfeatureslikeHTMLemailsandattachments.3)Improvedeliverability

PHP Performance: Identifying and Fixing BottlenecksMay 11, 2025 am 12:13 AM

PHP performance bottlenecks can be solved through the following steps: 1) Use Xdebug or Blackfire for performance analysis to find out the problem; 2) Optimize database queries and use caches, such as APCu; 3) Use efficient functions such as array_filter to optimize array operations; 4) Configure OPcache for bytecode cache; 5) Optimize the front-end, such as reducing HTTP requests and optimizing pictures; 6) Continuously monitor and optimize performance. Through these methods, the performance of PHP applications can be significantly improved.

Dependency Injection for PHP: a quick summaryMay 11, 2025 am 12:09 AM

DependencyInjection(DI)inPHPisadesignpatternthatmanagesandreducesclassdependencies,enhancingcodemodularity,testability,andmaintainability.Itallowspassingdependencieslikedatabaseconnectionstoclassesasparameters,facilitatingeasiertestingandscalability.

Increase PHP Performance: Caching Strategies & TechniquesMay 11, 2025 am 12:08 AM

CachingimprovesPHPperformancebystoringresultsofcomputationsorqueriesforquickretrieval,reducingserverloadandenhancingresponsetimes.Effectivestrategiesinclude:1)Opcodecaching,whichstorescompiledPHPscriptsinmemorytoskipcompilation;2)DatacachingusingMemc

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks agoByDDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

How to fix KB5055612 fails to install in Windows 10?

3 weeks agoByDDD

Nordhold: Fusion System, Explained

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

SublimeText3 Linux new version

SublimeText3 Linux latest version

Hot Topics

1666

1425

1327

1273

1252