Backend DevelopmentPHP TutorialPHP development: How to use JWT for authentication and authorization
In modern web application development, security has become an integral part. Authentication and authorization are crucial in this regard, as they ensure that only authorized users can access protected resources. There are many authentication and authorization mechanisms available, of which JWT (JSON Web Token) is a particularly popular mechanism because it is simple, flexible, scalable and secure. In this article, we will explore how to use PHP and JWT for authentication and authorization.
Part One: JWT Basics
JSON Web Token (JWT) is an open standard for securely transmitting claims and authentication information over the web. It consists of three parts: header, payload and signature.
The header contains algorithm and token type information. An example of it might look like this:
{
"alg": "HS256",
"typ": "JWT"
}The payload contains the information that needs to be transmitted. For example, username, role and other information about the user. An example of a payload might look like this:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}A signature is an encrypted string containing the key used to verify that the JWT is valid. An example of a signature might look like this:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(claims), secret)
Part Two: Implementing JWT using PHP
In order to use JWT for authentication and authorization, we need a PHP class to generate and validate the JWT. Let’s look at the implementation of a simple PHP JWT class.
<?php
class JWT {
private $header;
private $payload;
private $secret;
public function __construct($header, $payload, $secret) {
$this->header = $header;
$this->payload = $payload;
$this->secret = $secret;
}
public function encode() {
$header = $this->base64UrlEncode(json_encode($this->header));
$payload = $this->base64UrlEncode(json_encode($this->payload));
$signature = $this->base64UrlEncode(hash_hmac('sha256', $header . '.' . $payload, $this->secret, true));
return $header . '.' . $payload . '.' . $signature;
}
public function decode($jwt) {
$parts = explode('.', $jwt);
$header = json_decode($this->base64UrlDecode($parts[0]), true);
$payload = json_decode($this->base64UrlDecode($parts[1]), true);
$signature = $this->base64UrlDecode($parts[2]);
$result = hash_hmac('sha256', $parts[0] . '.' . $parts[1], $this->secret, true);
if (hash_equals($result, $signature)) {
return $payload;
} else {
return null;
}
}
private function base64UrlEncode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
private function base64UrlDecode($data) {
return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
}
}In this PHP class, $header, $payload and $secret store the JWT header, payload and secret information. The encode() method uses header, payload, and secret to generate a JWT string. decode() Method uses the given JWT string and key to get the payload information. The
base64UrlEncode() and base64UrlDecode() methods are used to encode and decode the JWT header and payload.
Part Three: Using JWT for Authentication and Authorization
Now, we have understood the basics of JWT and have a PHP JWT class for generating and validating JWT. So, how do we use JWT for authentication and authorization?
First, when a user logs in, a token can be sent using JWT to authenticate their identity. The server will generate a JWT with the username and password payload and send it to the client. The client will send this token as the Authorization header of the Bearer authentication scheme on every request. The server will extract the JWT from the header and verify its validity if necessary.
The following is a sample JWT implementation for authentication and authorization:
<?php
// 使用 JWT 登录
function login($username, $password) {
// 检查用户名和密码是否正确
$is_valid = validate_user_credentials($username, $password);
if (!$is_valid) {
return null;
}
// 生成 JWT
$header = array('alg' => 'HS256', 'typ' => 'JWT');
$payload = array('sub' => $username);
$jwt = new JWT($header, $payload, $GLOBALS['secret']);
$token = $jwt->encode();
// 返回 JWT
return $token;
}
// 验证 JWT
function validate_token($jwt) {
$jwt = new JWT($header, $payload, $GLOBALS['secret']);
$payload = $jwt->decode($jwt);
if ($payload == null) {
return false;
}
// 验证成功
return true;
}
// 保护资源
function protect_resource() {
// 检查 JWT 是否有效
$jwt = get_authorization_header();
if (!validate_token($jwt)) {
http_response_code(401);
exit();
}
// 资源保护
// ...
}
// 从标头获取 JWT
function get_authorization_header() {
$headers = getallheaders();
if (isset($headers['Authorization'])) {
return $headers['Authorization'];
}
return null;
}
// 检查用户名和密码是否正确
function validate_user_credentials($username, $password) {
// 验证用户名和密码
// ...
return true;
}
// 密钥
$GLOBALS['secret'] = "my-secret";
// 登录并获取 JWT
$token = login("username", "password");
// 将 JWT 添加到标头
$headers = array('Authorization: Bearer ' . $token);
// 保护资源
protect_resource($headers);In this example, the login() method uses the JWT class Create a JWT and return it for consumption by the client. validate_token() method can verify the validity of JWT. If the JWT is invalid, false will be returned.
get_authorization_header() Method extracts the JWT from the request header. protect_resource() The method is used to protect web resources. If the JWT is invalid, this function will raise a 401 error.
Finally, a secret is defined in the global scope, $GLOBALS ['secret'] , which should be a long string. Note that this password is a secret password and should not be included in your code base. Typically, this key is stored in an environment variable and managed by the operating system running the web server.
Conclusion
JWT is a very simple, flexible, scalable and secure mechanism that can be used for authentication and authorization in web applications. In this article, we have looked at the basics of JWT and seen a sample PHP class for generating and validating JWT. We also saw how JWT can be used for authentication and authorization. Now you can try JWT in your web applications to ensure your apps are more secure.
The above is the detailed content of PHP development: How to use JWT for authentication and authorization. For more information, please follow other related articles on the PHP Chinese website!
如何使用ThinkPHP6进行JWT认证?Jun 12, 2023 pm 12:18 PMJWT(JSONWebToken)是一种轻量级的认证和授权机制,它使用JSON对象作为安全令牌,可以在多个系统之间安全地传输用户身份信息。而ThinkPHP6是一种基于PHP语言的高效、灵活的MVC框架,它提供了许多有用的工具和功能,其中就包括JWT认证机制。在本文中,我们将介绍如何使用ThinkPHP6进行JWT认证,以保障Web应用程序的安全性和可靠
如何在PHP中使用JWT和JWE进行API身份验证和加密Jun 17, 2023 pm 02:42 PM随着互联网的发展,越来越多的网站和应用需要提供API接口来进行数据交互。在这种情况下,API身份验证和加密成为了非常重要的问题。而JWT和JWE作为一种流行的身份验证和加密机制,在PHP中的应用也越来越广泛。那么,本文将介绍如何在PHP中使用JWT和JWE进行API身份验证和加密。JWT的基本概念JWT代表JSONWe
PHP中的安全JWT令牌生成与验证技术解析Jul 01, 2023 pm 06:06 PMPHP中的安全JWT令牌生成与验证技术解析随着网络应用的发展,用户身份验证和授权变得越来越重要。JsonWebToken(JWT)是一种用于在网络应用中安全传输信息的开放标准(RFC7519)。在PHP开发中,使用JWT令牌来实现用户身份验证和授权已成为一种常见的做法。本文将介绍PHP中的安全JWT令牌生成与验证技术。一、JWT基础知识在了解如何生成与
Vue.js实现登录验证的完整指南(API、JWT、axios)Jun 09, 2023 pm 04:04 PMVue.js是一种流行的JavaScript框架,用于构建动态Web应用程序。实现用户登录验证是开发Web应用程序的必要部分之一。本文将介绍使用Vue.js、API、JWT和axios实现登录验证的完整指南。创建Vue.js应用程序首先,我们需要创建一个新的Vue.js应用程序。我们可以使用VueCLI或手动创建一个Vue.js应用程序。安装axiosax
深入解析JWT(JSON Web Token)的原理及用法Jan 10, 2023 am 10:55 AM本篇文章给大家带来了关于JWT的相关知识,其中主要介绍了什么是JWT?JWT的原理以及用法是什么?感兴趣的朋友,下面一起来看一下吧,希望对大家有帮助。
Beego中使用JWT实现身份验证Jun 22, 2023 pm 12:44 PM随着互联网和移动互联网的飞速发展,越来越多的应用需要进行身份验证和权限控制,而JWT(JSONWebToken)作为一种轻量级的身份验证和授权机制,在WEB应用中被广泛应用。Beego是一款基于Go语言的MVC框架,具有高效、简洁、可扩展等优点,本文将介绍如何在Beego中使用JWT实现身份验证。一、JWT简介JSONWebToken(JWT)是一种
怎么使用SpringBoot+SpringSecurity+jwt实现验证May 24, 2023 pm 08:07 PM环境springBoot2.3.3springSecurity5.0jjwt0.91pox.xml文件主要信息io.jsonwebtokenjjwt0.9.1org.springframework.bootspring-boot-starter-securityorg.springframework.bootspring-boot-starter-web目录结构信息请忽略文件命名jwtAccessDeniedHandler和JwtAuthenticationEntryPoint这两个类的作用是用
SpringBoot结合JWT怎么实现登录权限控制May 20, 2023 am 11:01 AM首先我们需要导入使用到的jwt的包:io.jsonwebtokenjjwt0.8.0com.auth0java-jwt3.2.0一、准备LoginUser(存放登录用户信息)和JwtUserLoginUser.javapublicclassLoginUser{privateIntegeruserId;privateStringusername;privateStringpassword;privateStringrole;生成getter和setter......}JwtUser.javaimp
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
SublimeText3 Chinese version
Chinese version, very easy to use
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Dreamweaver CS6
Visual web development tools
