CN112260838A - Automatic renewal authentication method based on JWT (just-before-last-transaction) - Google Patents
Automatic renewal authentication method based on JWT (just-before-last-transaction) Download PDFInfo
- Publication number
- CN112260838A CN112260838A CN202011103322.0A CN202011103322A CN112260838A CN 112260838 A CN112260838 A CN 112260838A CN 202011103322 A CN202011103322 A CN 202011103322A CN 112260838 A CN112260838 A CN 112260838A
- Authority
- CN
- China
- Prior art keywords
- token
- jwt
- user
- authentication
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an automatic renewal authentication method based on JWT, which utilizes a method of adding, modifying and searching a unique effective token in a database to verify JWT and achieves the purpose of automatic renewal of JWT; only when the JWT needs to be added, and the JWT overtime and the overtime to be reached are new tokens issued, and the database and the tokens of the client side are synchronously updated, so that only one latest JWT is stored for each user; in the authentication process, secondary verification for comparing the token signature with the database is added to the traditional single token signature verification process, and unexpired invalid JWT is filtered out, so that the problem that the JWT cannot automatically continue signing is effectively solved. The method can effectively solve the problems that the traditional JWT renewal scheme server has high pressure, high memory occupancy rate, expired refreshing token and can not filter unexpired invalid JWT.
Description
Technical Field
The invention relates to the technical field of JWT authentication, in particular to an automatic renewal authentication method based on JWT.
Background
JWT is a json web token abbreviation. It encrypts the user information into the token, and the server does not store any user information. The server verifies the correctness of the token by using the saved key, and if the correctness is passed, the verification is carried out. The server does not save any user information, i.e. the JWT is stateless. Once a JWT is issued, it is always valid until it expires and cannot be discarded halfway through. To change the validity time of a JWT, a new JWT is issued. However, if there is a released JWT that has not expired, since the old JWT has not expired, the server can log in the old JWT, and the information that the server has taken from the JWT after the log-in is outdated. Therefore, JWT does not support automatic renewal.
Currently, the following three processing methods are available in the prior art to solve the above problems:
1. each request returns a new JWT to the client. The new JWT is recalculated each time a request is received, increasing the processing pressure on the server.
2. An expiration time is set individually for each JWT in redis, and the expiration time of the JWT is refreshed every access and is considered expired if the JWT does not exist in the redis. This will occupy a large amount of memory space, greatly improving the fault probability of the redis cache.
3. Two tokens are issued simultaneously: access _ token and refresh _ token. The valid time of the refresh _ token is longer than that of the access _ token, and the refresh _ token is specially used for refreshing the access _ token when the access _ token is continuously signed. But the refresh token is not renewed after the lapse.
Thus, under the JWT standard, token is stateless, so none of the three approaches described above can filter unexpired stale JWT.
Disclosure of Invention
The invention aims to overcome the defects in the background technology, provides an automatic renewal authentication method based on JWT, verifies the JWT by using a method of adding, modifying and searching a unique effective token in a database, and achieves the purpose of automatic renewal of the JWT; only when the JWT needs to be added, and the JWT overtime and the overtime to be reached are new tokens issued, and the database and the tokens of the client side are synchronously updated, so that only one latest JWT is stored for each user; in the authentication process, secondary verification for comparing the token signature with the database is added to the traditional single token signature verification process, and unexpired invalid JWT is filtered out, so that the problem that the JWT cannot automatically continue signing is effectively solved.
In order to achieve the technical effects, the invention adopts the following technical scheme:
a JWT-based automatic renewal authentication method comprises the following steps:
A. establishing a database storage table of the token for storing token information; the method comprises the following steps: a primary key, a user id, a token value and an authentication state; the system comprises a user id, a token value, an authentication state and a storage module, wherein the user id is used for storing a unique identifier of a user, the token value is used for storing the latest and effective JWT, and the authentication state is used for recording whether the user is performing an identity authentication process;
B. generating a new JWT; the JWT consists of three parts: a header used for storing an encryption mode adopted by the signature, a payload used for storing effective information and a signature;
C. intercepting a payload load part in the token, and acquiring a user id and expiration time;
D. generating a new token when the JWT is expired or is about to expire according to the acquired expiration time, and transmitting the new token to the client;
E. carrying out anti-repeated authentication detection on each authentication process, and ensuring that each user can only trigger one authentication at the same time;
F. setting cookie as HttpOnly to realize XSS attack function; XSS (Cross site script, Cross site scripting) generally refers to injecting malicious instruction codes into a web page by using a vulnerability left during web page development through a smart method, so that a user loads and executes a web page program maliciously manufactured by an attacker; these malicious web programs are typically JavaScript; after the attack is successful, the attacker may obtain various contents including, but not limited to, higher rights (e.g., performing some operations), private web page contents, sessions, cookies, and the like; setting cookie as http only means that token can be only saved by the server and obtained through cookie automatically returned so as to defend against XSS attack;
G. intercepting a token submitted by a client, and verifying whether the token is tampered in the transmission process and whether the token submitted by the client is the latest token;
H. and when the user logs in and operates authentication, newly adding a missing JWT for the token renewal of overtime and about to overtime.
Furthermore, in the components of JWT, the header and payload are encrypted by Base64, the signature is generated by connecting the ciphertexts of the header and payload with periods and performing salting secret combination encryption by the encryption mode stated in the header, and the user id is encrypted to avoid directly exposing the user identifier.
Further, when generating a new JWT in step B, the new JWT is generated by using the expiration time and the encrypted user id as a payload member.
Further, in the step C, specifically, by intercepting the payload part in the token, decrypting with Base64, obtaining the expiration time and the encrypted user id, and decrypting the user id.
Further, in the step D, specifically, according to the expiration time and the user id obtained in the step C, the expiration time is compared with the current time, and whether timeout is performed or is about to be performed is determined; and if the time is overtime or is about to overtime, generating a new token containing the new expiration time and the encrypted user id according to the step B, updating the token into a token field corresponding to the user id in the database, and transmitting the new token to the client.
Further, the step G specifically includes decrypting the header part in the token submitted by the client with Base64 to obtain a signature encryption manner, and then performing a header-specified encryption operation by using a secret key in a format of a header ciphertext + "-" + payload ciphertext to generate a signature 1;
then intercepting a signature part in the token submitted by the client, and storing the signature part as a signature 2; verifying whether the signature 1 is consistent with the signature 2, if not, indicating that the token is tampered in the transmission process, and then failing to authenticate; if so, further authentication steps may continue.
Further, the further authentication step obtains a token corresponding to the user id in the database, intercepts the signature of the token, stores the signature as a signature 3, judges whether the signature 2 is consistent with the signature 3, and if the signature is inconsistent with the signature 3, the signature indicates that the signature submitted by the client is not the latest token, and the authentication fails; and if the token signature is consistent with the token signature, the token signature is successfully authenticated.
Further, the step H specifically includes:
if the user logs in for the first time, the token table does not have the information of the user, after the user name and the password are verified, the JWT is generated according to the step B, and a record for storing the user id and the JWT is added in the token table;
if the user does not log in for the first time, obtaining a user id after the user name and the password are verified, and obtaining a token value corresponding to the user in the database; according to step D, if the time is overtime or is about to be overtime, generating a new JWT and synchronously updating the JWT to the database and the client; otherwise, continuing to use the token value stored in the database;
when the user verifies the identity, according to the step C, obtaining the user id and the expiration time, and obtaining a token corresponding to the user id in the database for corresponding verification; after the token signature in the step G is verified, if the time is overtime or is about to be overtime, generating a new JWT according to the step D, and synchronously updating the new JWT to a database and a client; otherwise, continuing to use the token value stored in the database.
Further, the initial value of the authentication state of the token table is unauthenticated, and becomes an authentication entry when entering an authentication flow; and when the authentication process is finished, the authentication is recovered to be unauthenticated.
Further, the step E is to detect the authentication state in each initiated authentication process, and to terminate the authentication as long as the authentication state is detected to enter the authentication, so as to ensure that each user can trigger only one authentication at the same time, thereby preventing the server resource from being consumed by an excessive request.
Compared with the prior art, the invention has the following beneficial effects:
the automatic renewal authentication method based on JWT of the invention, adopt and add, revise and look for the only effective token method in the database, solve JWT and can't automatic renewal problem, the technical scheme of the invention only needs to add JWT and JWT overtime and will overtime the time-out time-; and because the database storage is utilized, too much memory space is not occupied as the prior mode 2 introduced in the background technology; the token stored in the client and the database is synchronously updated during the renewal, so that the problem that the renewal _ token cannot be renewed after expiration as in the prior mode 3 introduced in the background art when the token is refreshed is solved; each user only stores a latest JWT in a database, and by combining with secondary comparison verification of a token signature of the database, the defects that three modes introduced in the background technology cannot filter unexpired and invalid JWT can be overcome, namely JWT can be automatically renewed when the JWT is overtime or is about to be overtime, and synchronous updating of a client and a server is realized. The problems that a traditional JWT renewal scheme server is high in pressure, high in memory occupancy rate, overdue in refreshing a token and incapable of filtering unexpired invalid JWT are effectively solved.
Drawings
FIG. 1 is a schematic diagram illustrating a user login authentication process in the method of the present invention.
Fig. 2 is a schematic diagram of the authentication process of user operation in the method of the present invention.
FIG. 3 is a diagram illustrating a token validation table structure in an embodiment of the present invention.
Detailed Description
The invention will be further elucidated and described with reference to the embodiments of the invention described hereinafter.
Example (b):
the first embodiment is as follows:
an automatic renewal authentication method based on JWT, as shown in fig. 1 and fig. 2, specifically includes the following steps:
step 1, establishing a database storage table of token. The relationship pattern is: the primary key, the user id, the token value, and the authentication state, where the token verification table established in this embodiment is specifically shown in fig. 3, where the user id is used to store the unique identifier of the user, the token value is used to store the latest and valid JWT, and the authentication state records whether the user is performing an identity authentication process.
And 2, submitting a user name and a password by the client, comparing the stored user information by the server, obtaining a user identifier user _ id after the user information passes verification, and searching corresponding records in the token verification table through the user _ id. If the record does not exist, executing the step 3 and the step 4; if the record exists, go to step 5.
That is, in the method of the present invention, the unique and valid token value is added, modified and searched in the database when the user logs in and authenticates, so as to filter out the unexpired failed JWT.
And 3, adding a user _ id ciphertext and expiration time into the payload plain text, and combining the encrypted JWT three parts of the header, the payload and the signature to form a new token. For example:
s3.1, encrypting a plaintext { "typ": JWT "," alg ": HS256" } of a JWT header (header) by using Base64 to generate a ciphertext eyJ0eXAiOiJKV1 QiLCJhGciOiJIUzI 1NiJ9.
S3.2. assuming that the user _ id obtained in step 2 is 1, encrypted with aes, and the key is 123, a ciphertext U2FsdGVkX1+0 xgfiiwggwv 6air 5 umasz 42+ VxipE is generated.
S3.3, assuming that the current time is 2020-08-0220: 07:49, setting 30min to be expired, namely 2020-08-0220:37:49, and taking the value of the expired time to be 2020-08-0220:37:49 timestamp 1596371869.
S3.4. get JWT payload (payload) plaintext containing user _ id ciphertext and expiration time from S3.2 and S3.23:
{ "exp": 1596371869"," user _ code ": U2FsdGvKX1+0 xgFIiWTGWv 6 airey 5U mOASz42+ Vxipe }, where exp is an expiration timestamp.
Encrypting payload with Base64 generates ciphertext:
eyJleHAiOiIxNTk2MzcxODY5IiwidXNlcl9jb2RlIjoiVTJGc2RHVmtYMSswe GdGSWlXVEdHV3Y2YWlSWTV1bU9BU3o0MitWeGlwRT0ifQ==。
s3.5, connect the Base64 ciphertext of header and payload with ". quadrature" to get eyJ0eXAiOJKV1QiLCJbGciOiJIUzI1NiJ9. eyJLEHAiOiOxNk2MzxY5IidXNlcl9jb2RlIjoJVTJGc2RvRvSdwwedGS WlXVedHV3Y2YWlSWTV1bU9BU3o0MitWeGlwRT0ifQ ═.
The string is encrypted by HS256 with 456 as key to obtain signature part: 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c41019ee780c88 d.
S3.6, connecting the header, payload and signature by using a'. to obtain a JWT: yJ0eXAiOiJKV1QiLCJbGciOiJIUzI1NiJ9. eYJLEHAiOiXNTk2MzcxODY5 IiwidX Nlcl9jb2RlIjo VTJGc2 RhVmtSstWedGSWlXVEdHV 3Y2YWlSWTV1bU9BU3o0MitWeGlwRT0ifQ ═ 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c41019ee780c88 d.
Step 4, insert a record { "user _ id":1 "token": and "eyj0eXAiJKV1QiLCJbGciiJIUzI1 NiJ9. eyJLEHAiOxNxNxNk 2MzcxODY5 IidxNlcl 9jb2RlIjo VTJGc2 RhVmtSbGwedGdGSWlXVEdHV 3Y2YWlSWTV1bU9 o0 MitWewGlr0 ifQ ═ 807c 910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c41019ee780c88d" and "state 0..
And 5, acquiring a corresponding token in the database, partially intercepting the payload, decrypting the payload by using Base64, and acquiring the expiration time. And if the current time is overtime or overtime, taking the new expiration time and the encrypted user _ id as the payload member to generate a new JWT, and updating the token field corresponding to the user _ id in the database to be the new token.
Whether the token is overtime or about to overtime is judged according to the expiration time and the current time, if the token is overtime or about to overtime, a new token is generated, token values stored by a server and a client are synchronously updated, and therefore the effect of automatically renewing the token values is achieved.
For example, a token is searched in the database:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiIxNTk2MzcxODY5Ii widXNlcl9jb2RlIjoiVTJGc2RHVmtYMSsweGdGSWlXVEdHV3Y2YWlSWTV1bU9BU3o0MitWeGlwRT0ifQ==.807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14b ad3c41019ee780c88d。
intercepting payload parts:
eyJleHAiOiIxNTk2MzcxODY5IiwidXNlcl9jb2RlIjoiVTJGc2RHVmtYMSswe GdGSWlXVEdHV3Y2YWlSWTV1bU9BU3o0MitWeGlwRT0ifQ==,
decryption with Base64 yields the plaintext:
{ "exp": 1596371869"," user _ code ": U2FsdGvKX1+0 xgFIiWTGWv 6 airey 5U mOASz42+ Vxipe ═ wherein exp is an expiration timestamp, i.e. 2020-08-0220:37:49 is expired.
If 3 minutes before expiration is about to time out and the current time is 2020-08-0220: 09:49, then the time is not timed out and is not about to time out and the token in the database can be used directly.
If the current time is 2020-08-0220: 35:49, the timeout is about to occur; or the current time is 2020-08-0220:40:49 has timed out, step 3 is executed to generate a new JWT and update the token field corresponding to the user _ id in the database to be the new token.
And 6, setting cookie HttpOnly by the server, transmitting the latest token obtained in the step 3 or the step 4 to the client, and storing the token into the cookie by the client.
And 7, when the user performs the operation of needing identity authentication, the client sends token to the server through the HTTP Authorization request header.
For example, the token value in step 04, authenation, Bearer eyJ0eXAiOJKV1QiLCJbGciOiJIUzI1NiJ9. eyJLEHAiOiXNTk2MzcXODY5IidX Nlcl9jb2RlIjo VTJGc2 RhVmtYMSssWidWlXVEdHV 3Y2YWlSWTV1bU9BU 0MitWeGlwRT0ifQ ═ 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c 19ee780c88d is sent.
And 8, the server decrypts the payload part of the token by using the secret key to obtain the expiration time and the encrypted user _ id, and decrypts the user _ id.
For example, the server obtains the token value in step 04, intercepts the payload part: eyjlehaiiiixntk 2MzcxODY5 iiwidxnnlcl 9jb2RlIjoiVTJGc2 rhvmttymsswegdgs WlXVEdHV3Y2 ywlsvtv 1bU9bU3o0 mitweglwrrt 0ifQ ═ q.
Decryption with Base64 yields the plaintext:
{ "exp": 1596371869"," user _ code ": U2FsdGvKX1+0 xgFIiWTGWv 6AiRY5U mOASz42+ VxiPE }. The exp value gives an expiration timestamp of 1596371869, i.e. 2020-08-0220:37: 49; the user _ code value is decrypted by aes with the key 123, resulting in a user _ id of 1.
And 9, inquiring whether the database record corresponding to the user _ id obtained in the step 8 exists or not. If the user does not log in with the account, the server notifies the front end that the authentication fails, and the process is finished. If so, continue to step 10.
Step 10, in the database, if the state value corresponding to the user _ id is 1, it indicates that the user has an ongoing authentication action, the server notifies the client in authentication, so as to avoid repeated authentication, and the process is ended. If the state value corresponding to the user _ id is 0, it indicates that the user has no incomplete authentication action, and the process continues to step 11.
Step 11, setting the state value corresponding to the user _ id in the database to 1, and marking the user to enter the verification process
And step 12, decrypting the header part in the token submitted by the client by using Base64 to obtain a signature encryption mode. Performing encryption operation specified by a header on a header ciphertext + "" + payload ciphertext in a token submitted by a client through a secret key to generate a signature 1; and intercepting a signature part in the token submitted by the client, and storing the signature part as a signature 2.
Step 13, if the signature 1 is inconsistent with the signature 2, which indicates that the token is tampered in the transmission process, the server notifies the client that the verification fails, and the process is ended; if signature 1 and signature 2 are identical, indicating that token has not been tampered with during transmission, the process can continue to step 14.
For example, the header ciphertext in the token submitted in step 7 is eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9. Decryption with Base64 yields { "typ": JWT "," alg ": HS256" }, i.e. the signature encryption mode is HS 256.
The header ciphertext + "" + payload ciphertext is eyJ0eXAiOJKV1QiLCJbGciOiJIUzI1NiJ9 eJJJLEHAiOxnTk2MzcXODY5IidXNlcl9jb2RlIJGc2RhVmtYMSssWedWdGS WlXVEdHV3Y2YWlSWTV1bU 9O 0MitWeGlwRT0ifQ ═ Q,
it is HS256 encrypted with key 456, resulting in:
807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c41019ee780c88d, noted as signature 1.
If the signature ciphertext part in the token submitted in the step 7 is intercepted: 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b, which is marked as signature 2, and the signature 1 and the signature 2 are inconsistent, the server notifies the client that the verification fails, and the flow ends here.
If the signature ciphertext part in the token submitted in the step 7 is intercepted: 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c41019ee780c88d, noted as signature 2, with signature 1 and signature 2 being identical, step 14 may be continued.
And step 14, obtaining a token corresponding to the user _ id in the database, intercepting the signature of the token, and storing the signature as a signature 3.
Step 15, if the signature 2 and the signature 3 are not consistent, the token submitted by the client is not the latest token, the server informs the client that the verification fails, and the process is finished; if signatures 2 and 3 are consistent, indicating that the client has submitted the latest token, step 16 may be continued.
For example, signature 2 obtained in step 12: 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c41019ee780c88 d.
If the token signature part corresponding to the user _ id in the database is 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad, which is marked as signature 3, and is inconsistent with signature 2, the server notifies the client that the verification fails, and the process ends here.
If the token signature part corresponding to the user _ id in the database is 807c3c910b1ab79b06625fc16edaafd8ba8ff84258b14bad3c41019ee780c88d, which is marked as signature 3 and is consistent with signature 2, step 16 is executed.
And step 16, judging whether the time is overtime or will overtime according to the decrypted expiration time in the step 7. If a timeout has occurred or is about to occur, the process proceeds to step 18. If there is no timeout and a timeout is imminent, step 19 is performed.
Step 18, execute step 3, generate a new JWT, and update the token into the token field corresponding to the user _ id in the database.
And step 19, setting the state value corresponding to the user _ id in the database to be 0, and marking the user to finish the verification process. The server informs the client that the authentication is passed.
To sum up, in the method of the invention, a unique and effective token value is added, modified and searched in a database when a user logs in and authenticates, thereby filtering out unexpired invalid JWT, judging whether overtime or imminent overtime occurs according to the expiration time and the current time, if overtime or imminent overtime occurs, generating a new token, and synchronously updating the token values stored by a server and a client, thereby achieving the effect of automatically signing the token values. When entering the authentication process, the authentication is changed into entering authentication; and recovering the non-authentication after the authentication process is finished. The authentication process initiated each time is terminated as long as the authentication state is detected to enter authentication, so that each user can only trigger one authentication at the same time, server resources are prevented from being consumed by excessive requests, a user id ciphertext is added to a payload load part of JWT (Java virtual machine weight), user information can be confirmed, direct exposure of user identification can be avoided, a token of a database can be directly used if the user does not log in for the first time and the token is not expired, and the operation pressure of the server is reduced. Therefore, the method can automatically renew the sign of the JWT when the JWT is overtime or is about to be overtime, realizes the synchronous updating of the client and the server, and solves the problems that the traditional JWT renewal scheme has high server pressure, high memory occupancy rate, expired refresh token and incapability of filtering unexpired invalid JWT.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.
Claims (10)
1. An automatic renewal authentication method based on JWT is characterized by comprising the following steps:
A. establishing a database storage table of the token for storing token information; the method comprises the following steps: a primary key, a user id, a token value and an authentication state; the system comprises a user id, a token value, an authentication state and a storage module, wherein the user id is used for storing a unique identifier of a user, the token value is used for storing the latest and effective JWT, and the authentication state is used for recording whether the user is performing an identity authentication process;
B. generating a new JWT; the JWT consists of three parts: a header used for storing an encryption mode adopted by the signature, a payload used for storing effective information and a signature;
C. intercepting a payload load part in the token, and acquiring a user id and expiration time;
D. generating a new token when the JWT is expired or is about to expire according to the acquired expiration time, and transmitting the new token to the client;
E. carrying out anti-repeated authentication detection on each authentication process, and ensuring that each user can only trigger one authentication at the same time;
F. setting cookie as HttpOnly to realize XSS attack function;
G. intercepting a token submitted by a client, and verifying whether the token is tampered in the transmission process and whether the token submitted by the client is the latest token;
H. and when the user logs in and operates authentication, newly adding a missing JWT for the token renewal of overtime and about to overtime.
2. The JWT-based automatic resume authentication method of claim 1, wherein in JWT components, the header and payload are encrypted by Base64, and the signature is generated by concatenating the ciphertexts of the header and payload with period and performing salted secret combinatorial encryption in the encryption mode stated in the header.
3. The method as claimed in claim 2, wherein the step B of generating the new JWT is to generate the new JWT by using the expiration time and the encrypted user id as a member of the payload.
4. The JWT-based automatic resume authentication method of claim 3, wherein in step C, specifically, the payload part in token is intercepted, decrypted by Base64, and the expiration time and the encrypted user id are obtained, and the user id is decrypted.
5. The JWT-based automatic resume authentication method of claim 4, wherein in step D, the expiration time is compared with the current time according to the expiration time and the user id obtained in step C, and whether timeout is or will be exceeded is determined; and if the time is overtime or is about to overtime, generating a new token containing the new expiration time and the encrypted user id according to the step B, updating the token into a token field corresponding to the user id in the database, and transmitting the new token to the client.
6. The JWT-based automatic renewal authentication method of claim 2, wherein the step G is specifically to decrypt the header part in the token submitted by the client by using Base64 to obtain a signature encryption mode, and then to perform a header-specified encryption operation by using a secret key in a format of header ciphertext + ". and payload ciphertext to generate the signature 1;
then intercepting a signature part in the token submitted by the client, and storing the signature part as a signature 2; verifying whether the signature 1 is consistent with the signature 2, if not, indicating that the token is tampered in the transmission process, and then failing to authenticate; if so, further authentication steps may continue.
7. The JWT-based automatic resume authentication method of claim 6, wherein the further authentication step obtains a token corresponding to the user id in the database, intercepts the signature of the token, stores the signature as signature 3, determines whether the signature 2 and the signature 3 are consistent, and if not, indicates that the token submitted by the client is not the latest token, and the authentication fails; and if the token signature is consistent with the token signature, the token signature is successfully authenticated.
8. The JWT-based automatic renewal authentication method of claim 7, wherein the step H specifically comprises:
if the user logs in for the first time, the token table does not have the information of the user, after the user name and the password are verified, the JWT is generated according to the step B, and a record for storing the user id and the JWT is added in the token table;
if the user does not log in for the first time, obtaining a user id after the user name and the password are verified, and obtaining a token value corresponding to the user in the database; according to step D, if the time is overtime or is about to be overtime, generating a new JWT and synchronously updating the JWT to the database and the client; otherwise, continuing to use the token value stored in the database;
when the user verifies the identity, according to the step C, obtaining the user id and the expiration time, and obtaining a token corresponding to the user id in the database for corresponding verification; after the token signature in the step G is verified, if the time is overtime or is about to be overtime, generating a new JWT according to the step D, and synchronously updating the new JWT to a database and a client; otherwise, continuing to use the token value stored in the database.
9. The JWT-based automatic resume authentication method of claim 1, wherein the initial value of the authentication state of the token table is unauthenticated and becomes an entry authentication when entering the authentication process; and when the authentication process is finished, the authentication is recovered to be unauthenticated.
10. The JWT-based automatic resume authentication method as claimed in claim 9, wherein step E detects the authentication status in each initiated authentication procedure, and aborts the authentication whenever it detects that the authentication status is entering authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011103322.0A CN112260838B (en) | 2020-10-15 | 2020-10-15 | Automatic renewal authentication method based on JWT (just-before-last-transaction) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011103322.0A CN112260838B (en) | 2020-10-15 | 2020-10-15 | Automatic renewal authentication method based on JWT (just-before-last-transaction) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112260838A true CN112260838A (en) | 2021-01-22 |
| CN112260838B CN112260838B (en) | 2022-02-22 |
Family
ID=74243578
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011103322.0A Active CN112260838B (en) | 2020-10-15 | 2020-10-15 | Automatic renewal authentication method based on JWT (just-before-last-transaction) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112260838B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112836204A (en) * | 2021-02-03 | 2021-05-25 | 中国人民财产保险股份有限公司 | Token updating method and device |
| CN114491652A (en) * | 2022-04-19 | 2022-05-13 | 广州市保伦电子有限公司 | Method for encrypting, backing up and decrypting and restoring database data and processing terminal |
| CN114978605A (en) * | 2022-04-25 | 2022-08-30 | 联仁健康医疗大数据科技股份有限公司 | Page access method and device, electronic equipment and storage medium |
| CN115051862A (en) * | 2022-06-20 | 2022-09-13 | 北京中睿天下信息技术有限公司 | Safety communication method based on upper and lower level platforms |
| CN115296877A (en) * | 2022-07-25 | 2022-11-04 | 紫光云技术有限公司 | Method for invalidation and renewal of JWT storage token |
| CN115766298A (en) * | 2023-01-10 | 2023-03-07 | 北京安锐卓越信息技术股份有限公司 | Method and device for determining token duration, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103716283A (en) * | 2012-09-29 | 2014-04-09 | 国际商业机器公司 | Web service OAuth certification method for processing call in process and system |
| WO2017055716A1 (en) * | 2015-09-29 | 2017-04-06 | Peugeot Citroen Automobiles Sa | Improved method and device for authentication |
| CN108809988A (en) * | 2018-06-14 | 2018-11-13 | 北京中电普华信息技术有限公司 | A kind of authentication method and system of request |
| US20180337907A1 (en) * | 2017-05-16 | 2018-11-22 | Softex Incorporated | Integrated cybersecurity system and method for providing restricted client access to a website |
| CN108965230A (en) * | 2018-05-09 | 2018-12-07 | 深圳市中信网安认证有限公司 | A kind of safety communicating method, system and terminal device |
| CN109450865A (en) * | 2018-10-18 | 2019-03-08 | 弘成科技发展有限公司 | API user authen method based on JWT verifying |
| CN110855672A (en) * | 2019-11-15 | 2020-02-28 | 无锡家校邦网络科技有限公司 | JWT-based authorization method capable of being manually cancelled |
| CN111625800A (en) * | 2020-06-05 | 2020-09-04 | 光载互联(杭州)科技有限公司 | Digital identity authentication method and system based on in-vivo detection |
-
2020
- 2020-10-15 CN CN202011103322.0A patent/CN112260838B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103716283A (en) * | 2012-09-29 | 2014-04-09 | 国际商业机器公司 | Web service OAuth certification method for processing call in process and system |
| WO2017055716A1 (en) * | 2015-09-29 | 2017-04-06 | Peugeot Citroen Automobiles Sa | Improved method and device for authentication |
| US20180337907A1 (en) * | 2017-05-16 | 2018-11-22 | Softex Incorporated | Integrated cybersecurity system and method for providing restricted client access to a website |
| CN108965230A (en) * | 2018-05-09 | 2018-12-07 | 深圳市中信网安认证有限公司 | A kind of safety communicating method, system and terminal device |
| CN108809988A (en) * | 2018-06-14 | 2018-11-13 | 北京中电普华信息技术有限公司 | A kind of authentication method and system of request |
| CN109450865A (en) * | 2018-10-18 | 2019-03-08 | 弘成科技发展有限公司 | API user authen method based on JWT verifying |
| CN110855672A (en) * | 2019-11-15 | 2020-02-28 | 无锡家校邦网络科技有限公司 | JWT-based authorization method capable of being manually cancelled |
| CN111625800A (en) * | 2020-06-05 | 2020-09-04 | 光载互联(杭州)科技有限公司 | Digital identity authentication method and system based on in-vivo detection |
Non-Patent Citations (1)
| Title |
|---|
| 李凯: "基于JSON Web Token的无状态账户系统的设计", 《现代计算机(专业版)》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112836204A (en) * | 2021-02-03 | 2021-05-25 | 中国人民财产保险股份有限公司 | Token updating method and device |
| CN114491652A (en) * | 2022-04-19 | 2022-05-13 | 广州市保伦电子有限公司 | Method for encrypting, backing up and decrypting and restoring database data and processing terminal |
| CN114978605A (en) * | 2022-04-25 | 2022-08-30 | 联仁健康医疗大数据科技股份有限公司 | Page access method and device, electronic equipment and storage medium |
| CN115051862A (en) * | 2022-06-20 | 2022-09-13 | 北京中睿天下信息技术有限公司 | Safety communication method based on upper and lower level platforms |
| CN115296877A (en) * | 2022-07-25 | 2022-11-04 | 紫光云技术有限公司 | Method for invalidation and renewal of JWT storage token |
| CN115766298A (en) * | 2023-01-10 | 2023-03-07 | 北京安锐卓越信息技术股份有限公司 | Method and device for determining token duration, electronic equipment and storage medium |
| CN115766298B (en) * | 2023-01-10 | 2023-04-11 | 北京安锐卓越信息技术股份有限公司 | Method and device for determining token duration, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112260838B (en) | 2022-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112260838B (en) | Automatic renewal authentication method based on JWT (just-before-last-transaction) | |
| JP6921066B2 (en) | Methods and devices to achieve session identifier synchronization | |
| US8887246B2 (en) | Privacy preserving authorisation in pervasive environments | |
| US7793340B2 (en) | Cryptographic binding of authentication schemes | |
| WO2022021992A1 (en) | Data transmission method and system based on nb-iot communication, and medium | |
| US20060212928A1 (en) | Method and apparatus to secure AAA protocol messages | |
| US20130219180A1 (en) | Data processing for securing local resources in a mobile device | |
| CN111314056A (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
| CN106453352B (en) | Single-system multi-platform identity authentication method | |
| US11394543B2 (en) | System and method for secure sensitive data storage and recovery | |
| Lounis et al. | Bad-token: denial of service attacks on WPA3 | |
| CN111030814A (en) | Key negotiation method and device | |
| US11070537B2 (en) | Stateless method for securing and authenticating a telecommunication | |
| WO2020020008A1 (en) | Authentication method and authentication system | |
| CN114553480B (en) | Cross-domain single sign-on method and device, electronic equipment and readable storage medium | |
| CN110138558B (en) | Transmission method and device of session key and computer-readable storage medium | |
| CN114697061A (en) | Access control method and device, network side equipment, terminal and block link point | |
| CN113965327B (en) | Key grouping method and key grouping management system of hardware password equipment | |
| CN112818329B (en) | Authentication method and device, user side, equipment side and storage medium | |
| CN116566744B (en) | Data processing method and security verification system | |
| CN109474624B (en) | Application program authentication system and method | |
| CN117395051A (en) | Data processing method, computer device and storage medium | |
| TWI746504B (en) | Method and device for realizing synchronization of session identification | |
| CN115694825A (en) | Large-scale virtual node verification method in cloud environment | |
| KR20220147610A (en) | Secure and documented key access by application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |