jwt generates token and token parsing basis

1.jwt structure

The token generated by jwt to the client (browser) contains three parts separated by ".":

• header (Base64Url encoded)
• payload (Base64Url encoded)
• signature

Such as: xxxxx.yyyyy.zzzzz

1.1 Example:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiYW5keSIsImV4cCI6MTY1NTg5NzEwMCwiYWdlIjozMH0.32hfc-oBxGg2Lgk3QR48HCbadsbOfCUxexw9aiQ_FQk

Split into 3 parts:

• eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.(header)
• eyJuYW1lIjoiYW5keSIsImV4cCI6MTY1NTg5NzEwMCwiYWdlIjozMH0.(payload)
• 32hfc-oBxGg2Lgk3QR48HCbadsbOfCUxexw9aiQ_FQk(signature)

2.Introduction to header+payload+signature

2.1 header

The header part above: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
After base64Url decoding:

 {
  "typ": "JWT",
  "alg": "HS256"
}

Usually describes the type of token and the algorithm used to generate the token

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

2.2 Payload

The Payload section above: eyJuYW1lIjoiYW5keSIsImV4cCI6MTY1NTg5NzEwMCwiYWdlIjozMH0
After base64Url decoding:

 {
  "name": "andy",
  "exp": 1655897100,
  "age": 30
}

Usually, it is the content to be brought when the client requests (such as the user name, such as whether it is an administrator, etc., the content can be defined when the server generates it, in the form of a map)

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.

2.3 Signature

Signature section above: 32hfc-oBxGg2Lgk3QR48HCbadsbOfCUxexw9aiQ_FQk
It is used to verify the signature and verify whether it has been modified by the client. Its generation logic is as follows:
It is generated using the specified algorithm using the base64Url of the header part, the base64Url part of the payload part, the small dots, and your private key password; because there is a password, it is safe, which is why the password should be well protected.

• The calculation logic is as follows:

  HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  12345
  )

3. java test case

 /**
     * JWT加密生成token, payload中保存 name/age
     */
    @Test
    public void testJwtToken() {
        // 加密秘钥
        final String SECRET = "12345";

        Calendar c = Calendar.getInstance();
        c.add(Calendar.HOUR, 2);

        String token = JWT.create().withClaim("name", "andy")
                .withClaim("age", 30)
                .withExpiresAt(c.getTime())
                .sign(Algorithm.HMAC256(SECRET));

        System.out.println(token);
    }

    /**
     * JWT解密生成token, 读取payload中保存的 name/age
     */
    @Test
    public void testJwtVerify() {

        String jwtToken = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiYW5keSIsImV4cCI6MTY1NTg4ODk3MiwiYWdlIjozMH0.LU4AQJkld03kDhatkiiArSJI4liGiANArTvoyswzk5I";
        final String SECRET = "12345";

        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET)).build();
        DecodedJWT decodedJWT = verifier.verify(jwtToken);
        Claim name = decodedJWT.getClaim("name");
        Claim age = decodedJWT.getClaim("age");
        System.out.println(name);
        System.out.println(age);

    }