JSON 포맷을 이용한 Web Token
Claim based Token
두 개체에서 JSON 객체를 이용해 Self-contained
방식으로 정보를 안전한게 전달
회원 인증, 정보 전달에 주로 사용
CSRF
CORS
Not Only Web, Mobile
Session
Scalability
REST API
Why ?
Now ?
Cookie?
Cookie??
Cookie???!
문자열 그대로 통신
위변조 가능
XSS
Spoofing
작은 저장 공간, 4096bytes 이하
...
서버의 부하
CORS
확장성
Scalability
Session
Synchronize
Overload
Synchronize
Again!
Not only Web
Heterogeneous
Self-contained
{
"id" : "hak",
"role" : ["admin", "staff"],
"group" : ["g1"]
}
Header
Payload
Signature
{
"typ" : "JWT",
"alg" : "HS256"
}
base64 encoded
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
SHA256 algorithm (Header . Payload) , secretkey
Reserved claims
Public claims
Private claims
{
"iss" : "ryan",
"exp" : "1482900013",
"sub" : "userInfo"
}
{
"name": "hak",
"age" : 26,
}
Header
Payload
Signature
.
.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImhhayIsImlhdCI6MTQ4MjY1OTg5MSwiZXhwIjoxNDgzMjY0NjkxLCJpc3MiOiJyeWFuIiwic3ViIjoidXNlckluZm8ifQ.m_UEg5vrqwgEzAF_VYaErUmkbkyHCZGciyOHdA7Oqfg
Authorization: Bearer <token>
Client
Server
1. POST /login
2. Create Token with secret key
3. Return Token
4. Request With Token on Header
6. Response
5. Check Token Signature
Pros
Cons
Self-contained
Not Server based
Stateless
Scalability
Self-contained
Token Size
Non-encryption
Payload Claim Set
Store Token
Force Token expiration
HTTP
RESTful
Scalability
Stateless
JWT