JWT方式特点:
-
用户登录后服务器通过JWT生成一串随机Token给到用户(服务器不保留Token信息),当用户再来访问时需要携带Token信息,服务器收到用户端的Token之后,通过JWT对Token进行校验是否超时和合法。
JWT Token格式:
jwt token 是由三段字符串通过"."连接组成:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsInZlcnNpb24iOiIxLjAiLCJ0cyI6IjIwMjEwMjAzMTIzIiwic2VyaWFsSWQiOiJ4eHh4eHgiLCJoYXNoIjoieHh4eHh4In0.eyJ1c2VySWQiOiIwMDEiLCJ1c2VyTmFtZSI6InpoYW5nc2FuIiwiZXhwIjoxNjIxOTEwNDYxfQ.vINBnYx8nRxJNgvsQb5FZ0pCwWeH6yWeEoMRm_pDTIU
生成规则:
- 第一段为header部分(json格式),固定包含token的加密算法和类型,对此部分进行base64url加密
{
“typ”: “JWT”,
“alg”: “HS256”,
“version”: “1.0”,
“ts”: “20210203123”,
“serialId”: “xxxxxx”,
“hash”: “xxxxxx”
}
- 第二段为payload部署(json格式),自定义用户数据信息,对此部分进行base64url加密
{
“userId”: “001”,
“userName”: “zhangsan”,
“exp”: 1621909898
}
- 第三段为signature部分,将第一段和第二段的base密文通过"."进行拼接后使用hs256加密码后再对加密后的密文进行base64url加密,最终生成token的第三段密文
HMACSHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(payload),
your-256-bit-secret
)
Python 代码
#! /usr/bin/python3
# -*- encoding:utf8 -*-
import jwt
import datetime, time
def createToken():
salt = 'abc@1234'
orgData = {
"version": "1.0",
"ts": "20210203123",
"serialId": "xxxxxx",
"hash": "xxxxxx",
}
payload = {
'userId': '001',
'userName': 'zhangsan',
'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=1)
# exp 配置token有效时长
}
token = jwt.encode(payload=payload, key=salt, algorithm='HS256', headers=orgData)
return token
def checkToken(token):
salt = 'abc@1234'
try:
data = jwt.decode(token, salt, algorithms=['HS256'])
return data
except jwt.ExpiredSignatureError:
return 'Token已失效'
except jwt.DecodeError:
return 'Token认证失败'
except jwt.InvalidTokenError:
return '无效的Token'
d1 = createToken()
print(d1)
d2 = checkToken(d1)
print(d2)
time.sleep(65)
d3 = checkToken(d1)
print(d3)
代码结果:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsInZlcnNpb24iOiIxLjAiLCJ0cyI6IjIwMjEwMjAzMTIzIiwic2VyaWFsSWQiOiJ4eHh4eHgiLCJoYXNoIjoieHh4eHh4In0.eyJ1c2VySWQiOiIwMDEiLCJ1c2VyTmFtZSI6InpoYW5nc2FuIiwiZXhwIjoxNjIxOTEwNDYxfQ.vINBnYx8nRxJNgvsQb5FZ0pCwWeH6yWeEoMRm_pDTIU
{‘userId’: ‘001’, ‘userName’: ‘zhangsan’, ‘exp’: 1621910461}
Token已失效