JWT
JSON Web Token
code.ryan.lee@gmail.com
Introduction
JWT - JSON Web Token
JSON 포맷을 이용한 Web Token
Claim based Token
두 개체에서 JSON 객체를 이용해 Self-contained
방식으로 정보를 안전한게 전달회원 인증, 정보 전달에 주로 사용
Web Token ?
Web Token 의 필요성
CSRF
CORS
Not Only Web, Mobile
Session
Scalability
REST API
Why ?
Now ?
Cookie?
Cookie??
Cookie???!
Type of Authorization
Cookie - Client Side Storage
문자열 그대로 통신
위변조 가능
XSS
Spoofing
작은 저장 공간, 4096bytes 이하
...
Type of Authorization
Session - Server Side Auth
서버의 부하
CORS
확장성
Type of Authorization
Problem of Cookie-Session #1
Scalability
Session
Synchronize
Type of Authorization
Problem of Cookie-Session #2
Overload
-
Synchronize
Again!
Type of Authorization
Problem of Cookie-Session #3
Not only Web
Heterogeneous
Type of Authorization
Token base
Self-contained
{
"id" : "hak",
"role" : ["admin", "staff"],
"group" : ["g1"]
}
JWT
Header
Payload
Signature
{
"typ" : "JWT",
"alg" : "HS256"
}
base64 encoded
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
SHA256 algorithm (Header . Payload) , secretkey
Reserved claims
Public claims
Private claims
{
"iss" : "ryan",
"exp" : "1482900013",
"sub" : "userInfo"
}
{
"name": "hak",
"age" : 26,
}
JWT
Header
Payload
Signature
.
.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhhayIsImlhdCI6MTQ4MjY1OTg5MSwiZXhwIjoxNDgzMjY0NjkxLCJpc3MiOiJyeWFuIiwic3ViIjoidXNlckluZm8ifQ.m_UEg5vrqwgEzAF_VYaErUmkbkyHCZGciyOHdA7Oqfg
Authorization: Bearer <token>
JWT
Client
Server
1. POST /login
2. Create Token with secret key
3. Return Token
4. Request With Token on Header
6. Response
5. Check Token Signature
Silver bullet?
Pros
Cons
Self-contained
Not Server based
Stateless
Scalability
Self-contained
Token Size
Non-encryption
Payload Claim SetStore Token
Force Token expiration
Conclusion
HTTP
RESTful
Scalability
Stateless
JWT