gogoWebsite

✅Author's Bio:Hello, I'm Leo, a Java backend developer with a passion for Java, a man who wants to make progress with you all 😉😉😉
🍎 Personal Home Page:Leo's Blog
💞 Current Column:One Knowledge Point a Day
✨ Featured Column:MySQL Learning
🥭 In this article: differences between JWT and Token
📚 Personal Knowledge Base:Leo Knowledge BaseWelcome to visit

In this article, we mainly introduced the concepts related to JWT.

1. What is JWT
2. What JWT consists of
3. How JSON Web Tokens Work
4. How to authenticate based on JWT
5. How to prevent JWT from being tampered with

Today we focus on the differences and connections between JWT and Token.

Tokenis a broad term that can refer to any kind of mechanism used for authentication.Token Often used in authentication and authorization processes.Token It can have different forms and structures, such as randomly generated strings or encoded data in a specific format.

1.1 Characteristics and use

1. amorphous format: Token can be a data string in any format, not limited to JWT.
2. Storing Information: The Token may be stored on the server only as a reference, and the server accesses the stored state information via that reference.
3. Session Management: After unified authentication, Token is used to manage user sessions.
4. Flexible transmission: Can be transmitted via HTTP headers, URL parameters, or request bodies.

1.2 Token Fundamentals

Token (That is, the encrypted string, using MD5, and other irreversible encryption algorithms, must ensure uniqueness)

Client requests login with username and password

The server receives a request to verify the username and password.

If the authentication is successful, the server will issue a Token and save it to (Session,redis,mysql...), and then send the Token to the client.

After the client receives the Token, it can be stored, for example, in a cookie or in Local Storage.

Each time the client requests a resource from the server, it needs to bring the Token issued by the server with it.

The server receives the request, verifies the Token inside the client's request against the Token stored in the server, and if the verification is successful, returns the request to the client.

1.3 Advantages

1. Can hide the real data with a high degree of security
2. For Distributed/Microservices
3. Token support manual control, expiration, revocation, etc.
4. Existing Token can be queried in real time

1.4 Disadvantages

1. Stored in database or redis, dependent on server resources
2. Lower efficiency compared to JWT

2.1 JWT Advantages

1. Statelessness

JWT itself contains all the information needed for authentication, so our server does not need to store session information. This obviously increases the availability and scalability of the system and greatly reduces the pressure on the server side.

However, it is also the statelessness of JWT that leads to its biggest drawback:Uncontrollable!

For example, if we want to deprecate a JWT or change its permissions during the JWT's validity period, it doesn't take effect immediately, and you usually have to wait until the validity period expires. For example, if the user logs out, the JWT is still valid. Unless, of course, we add additional processing logic on the backend, such as storing the invalid JWT and verifying that it is valid on the backend before processing it.

2. Effective avoidance of CSRF attacks

CSRF（Cross Site Request Forgery） Generally translated asCross-site request forgeryCSRF is a security attack that falls within the realm of cyber attacks. Compared to security attacks such as SQL script injection and XSS, CSRF is not as well known as them. However, it is a security risk that we must consider when developing systems. Even Google's product Gmail, the industry's technology benchmark, had a CSRF vulnerability in 2007, which caused great losses to Gmail users.

For CSRF specifics you can refer toMy article.

2.2 JWT Basic Principles

JWT isJSON Web TokenAbbreviation. It encrypts the user information into a token and the server does not save any user information. The server verifies the correctness of the JWTToken by using the saved key, as long as it is correct it passes the verification.

JWT contains three parts: Header, Payload and Signature. JwtToken is generated from the three parts, and the three parts are separated by "." sign between the three parts. JWT internal checksum is also their own implementation , and you can store the information from the JwtToken out of no need to check the library!

Client requests login with username and password

The server receives a request to verify the username and password.

If the authentication is successful, the server will issue a JwtToken, which does not need to be stored on the server, and then send the JwtToken to the client.

After the client receives the JwtToken, it can be stored, for example, in a cookie or in LocalStorage.

The client needs to bring the JwtToken issued by the server every time it requests a resource from the server.

The server receives the request, verifies the JwtToken inside the client request, and returns the requested data to the client if the verification is successful.

2.4 Differences

1. Standard vs. customized: JWT is an open standard (RFC 7519) that explicitly defines the structure of a Token and how it is generated, whereas Token is usually customized and there is no unified structure standard.
2. stateful storage: JWTs are stateless and are designed to be self-contained, carrying all user information, so the server does not need to save state. Traditional tokens may require the server to store additional session information.
3. safety: JWT provides additional security through signatures. Traditional tokens without additional security measures may be vulnerable to security threats such as man-in-the-middle attacks.
4. volumetric: A JWT is usually larger than a simple Token because it contains more user information and necessary encrypted data.