A brief introduction to JWT in python

This article brings you a brief introduction to JWT in python. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

Json web token (JWT) is an open standard based on JSON (RFC 7519) for conveying claims between web application environments. The token is designed to be compact and secure , especially suitable for single sign-on (SSO) scenarios of distributed sites. JWT claims are generally used to transfer authenticated user identity information between identity providers and service providers in order to obtain resources from resource servers, and can also Add some additional declaration information necessary for other business logic. The token can also be used directly for authentication or encrypted.

Problems based on session authentication
Session: Each user passes After our application is authenticated, our application must make a record on the server to facilitate the identification of the user's next request. Generally speaking, the session is stored in memory, and as the number of authenticated users increases, the overhead on the server will increase. Significantly increased.

Scalability: After user authentication, the server makes authentication records. If the authentication records are saved in memory, this means that the user's next request must be made on this server. , Only in this way can authorized resources be obtained, which accordingly limits the capabilities of the load balancer in distributed applications. This also means limiting the expansion capabilities of the application.

CSRF: Because it is based on cookies For user identification, if the cookie is intercepted, the user will be vulnerable to cross-site request forgery attacks.

The composition of JWT
The first part is called the header, and the second part is called the header. Part of it is called payload (similar to items carried on an airplane), and the third part is visa (signature).

header
The header of jwt carries two parts of information:

Declare the type, here is jwt
Declare the encryption algorithm usually directly using HMAC SHA256
The complete header is like the following JSON:

{
  'typ': 'JWT',
  'alg': 'HS256'
}

Then the header is base64 encrypted (the Encryption can be decrypted symmetrically), which constitutes the first part.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
payload
The payload is where valid information is stored. This name seems to refer specifically to the goods carried on the aircraft. This valid information contains three parts

Statements registered in the standard
Public statements
Private statements
Statements registered in the standard (recommended but not mandatory):

iss: jwt issuer
sub: The user for whom jwt is directed
aud: The party receiving jwt
exp: The expiration time of jwt, this expiration time must be greater than the issuance time
nbf: Definition Before what time, the jwt is unavailable.
iat: jwt issuance time
jti: The unique identity of jwt, mainly used as a one-time token to avoid replay attacks.
signature
The third part of JWT is a visa information. This visa information consists of three parts:

header (after base64)
payload (after base64)
secret
This part requires the use of base64 encrypted header and base64 encrypted payload. The string composed of concatenation is then encrypted by salting the secret secret through the encryption method declared in the header, and then constitutes the third part of jwt.
Concatenate these three parts into a complete string using . to form the final jwt
The secret is saved on the server side, and the issuance and generation of jwt is also done on the server side. The secret is used for the issuance and issuance of jwt. jwt verification, so it is the private key of your server and should not be exposed in any scenario. Once the client learns about this secret, it means that the client can self-sign jwt.

Advantages
Because of the versatility of json, JWT can be supported across languages, such as JAVA, JavaScript, NodeJS, PHP and many other languages.
Because of the payload part, JWT can store some non-sensitive information necessary for other business logic in itself.
Easy for transmission. The structure of jwt is very simple and the byte occupation is very small, so it is very easy to transmit.
It does not need to save session information on the server side, so it is easy to apply extensions
Security related
Sensitive information should not be stored in the payload part of jwt, because this part is the part that can be decrypted by the client.
Protect the secret private key, which is very important.
If possible, please use https protocol

The above is the detailed content of A brief introduction to JWT in python. For more information, please follow other related articles on the PHP Chinese website!