CN115766213A - jwt failure management method - Google Patents
jwt failure management method Download PDFInfo
- Publication number
- CN115766213A CN115766213A CN202211424515.5A CN202211424515A CN115766213A CN 115766213 A CN115766213 A CN 115766213A CN 202211424515 A CN202211424515 A CN 202211424515A CN 115766213 A CN115766213 A CN 115766213A
- Authority
- CN
- China
- Prior art keywords
- jwt
- user
- service system
- version number
- version
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 13
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000000034 method Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a jwt failure management method, which comprises the following steps: in an authentication system and a service system, respectively establishing an authentication system/service system user-jwt version number association table of a user unique identifier user _ id and a jwt latest version number jwt _ vers ion; when the authentication system verifies that the login request of the client is legal, the unique identification of the user and the latest version number of the corresponding jwt are stored in the data part of the jwt and returned to the client; when a client carries a jwt request service system issued before the permission is changed, the service system analyzes a user _ id value u1 and a version number value v1, finds v2 of the latest version number corresponding to u1 in a local service system user-jwt version number association table, and if v2< = v1, the service system performs subsequent processing on the request; if v2> v1, the service system refuses access; the invention saves system resources.
Description
Technical Field
The invention relates to the technical field of software, in particular to a jwt failure management method.
Background
jwt (Json web token) is a token supporting distributed and stateless, is suitable for authentication of a distributed system, and has the advantage that the Jwt validity verification does not need participation of a central node. Due to the stateless property of jwt, once issued, it cannot be discarded, and jwt will be valid until it expires, that is, once issued, it can only wait for the expiration time of the jwt setting to expire. For example, some information is stored in payload, when the information needs to be updated, a jwt is issued again, but since the old jwt is not expired, the old jwt can still be held to verify success, but the information held in the jwt by the service system is outdated.
The main solution to this problem is to set a jwt black list, and if jwt is to fail before the jwt expiration time is reached, add this jwt to the black list. This results in the need to store all unexpired jwt for determining which signed jwt is stale, which can result in consuming a significant amount of system resources to store all unexpired jwt.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide a jwt failure management method, which only needs to store the latest jwt version number of each user, but not all unexpired jwt signed by the user, a common system needs to maintain a user table, only needs to add a jwt version number on a user field, and has small change and storage expenses for the original.
In order to realize the purpose, the invention adopts the technical scheme that: a jwt failure management method, comprising:
in an authentication system and a service system, respectively establishing an association relation table of a user unique identifier user _ id and a jwt _ vers ion of the latest version number of jwt, which are respectively called an authentication system user-jwt version number association table and a service system user-jwt version number association table;
after the authentication system verifies that the login request of the client is legal, the unique identification user _ id of the user and the jwt _ vers ion of the latest version number of the corresponding jwt are stored in the data payload part of the jwt and returned to the client;
when a client carries a jwt request service system issued before permission change, the service system finds a jwt _ vers ion value v2 of a latest version number corresponding to u1 in a local service system user-jwt version number association table according to a user _ id value u1 and a jwt _ vers ion value v1 analyzed from a jwt data payload, and if v2< = v1, the jwt request of the current request is not invalid, the service system performs subsequent processing on the request; if v2> v1, indicating that jwt has failed, the service system denies access.
As a further improvement of the invention, the method also comprises the following steps:
when the authority of the user changes, the authentication system updates a local authentication system user-jwt version number association table, and executes jwt _ vers ion = jwt _ vers ion +1 on the version number jwt _ vers ion of the corresponding user-id; and informing the value of jwt _ vers ion of the latest version number of the user _ id corresponding to the service system, and updating the version number jwt _ vers ion of the local service system user-jwt version number association table by the service system according to the user _ id to be the value of the informed latest version number jwt _ vers ion.
As a further improvement of the present invention, if v2< v1, the service system updates jwt _ vers ion value corresponding to user _ id in the local service system user-jwt version number association table to v1.
As a further improvement of the present invention, in the authentication system user-jwt version number association table and the service system user-jwt version number association table, the version number jwt _ vers ion is positive integer data, and the initialization default value thereof is 0.
The invention has the beneficial effects that:
the invention can effectively solve the problem of failure management of signed jwt, and compared with the jwt blacklist technology, the invention saves system resources.
Drawings
FIG. 1 is a schematic flow chart of a business system allowing a client to access in an embodiment of the present invention;
fig. 2 is a schematic flow chart of a service system denying access to a client in an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example 1
As shown in fig. 1 and 2, a jwt failure management method includes:
the authentication system and the service system need to maintain an association table of user unique identification user _ id and jwt _ vers ion of the latest version number jwt _ vers respectively locally, which is called an "authentication system/service system user-jwt version number association table" for short. When the authentication system verifies that the login request of the client is legal, the unique identifier user _ id of the user and the corresponding latest jwt version number need to be additionally stored in the payload part of jwt and returned to the client.
When the authority of a user changes, for example, a certain user changes from an authorized access service system to an unauthorized access service system, the authentication system needs to update a local 'authentication system user-jwt version number association table', and jwt _ vers ion of the corresponding user-id is executed jwt _ vers ion = jwt _ vers ion +1; and informing the corresponding service system of the latest jwt _ vers ion value of the user _ id, and updating the jwt _ vers ion of a local service system user-jwt version number association table by the service system according to the user _ id to be the latest jwt _ vers ion value informed.
When a client carries a jwt request service system issued before permission change, the service system finds a corresponding latest jwt _ vers ion value v2 in a local 'service system user-jwt version number association table' according to a user _ id value u1 and a jwt _ vers ion value v1 analyzed from a jwt payload, if v2< = v1, it indicates that the current request jwt is not invalid, the service system performs subsequent processing on the request, and particularly, if v2< v1, the service system needs to additionally update the jwt _ vers ion value of the locally corresponding user _ id to be v1; if v2> v1, it indicates jwt has failed and the service system denies access.
Example 2
As further shown in fig. 1 and 2, a jwt failure management method includes the following steps:
step1, in an authentication system, establishing an association relation table of a unique user identifier user _ id and jwt _ vers ion of the latest version number of jwt _ vers, which is called as the user-jwt version number association table of the authentication system for short, wherein jwt _ vers ion is generally positive integer data, and the initial default value of jwt _ vers ion is 0;
step2, the client sends a user login request to the authentication system, and after the authentication system verifies that the login request is successful, the user _ id and jwt _ vers ion corresponding to the user are written into a payload part in jwt, for example:
{
user_id:6c829ab29d9a4fed9a7eef23296c0c77,
jwt_vers ion:0
}
then the authentication system generates jwt according to a certain signature algorithm and returns jwt to the client;
step3, the local requirement of the service system also needs to establish an association relation table of user unique identification user _ id and jwt _ vers ion of the latest version number of jwt _ vers, which is called as a service system user-jwt version number association table for short, and the initial default value of jwt _ vers ion is 0;
step4, the client carries the authentication system to return jwt to send a service request to the service system, the service system verifies whether the jwt is legal or not through a signature verification algorithm corresponding to the authentication system, and if not, the request is rejected. If the user _ id value and the jwt _ vers ion value v1 in the jwt payload are legal, analyzing the user _ id value and the jwt _ vers ion value in the jwt payload; and checking a corresponding jwt _ vers ion value v2 in a service system user-jwt version number association table according to u1, and checking the size relationship between v2 and v1 by the service system. If v2< = v1, it indicates that the jwt of the request is not failed, the service system performs subsequent processing on the request, and particularly, if v2< v1, the service system needs to additionally update the jwt _ vers ion value of the locally corresponding user _ id to be v1; if v2> v1 indicates jwt has failed, the service system denies access.
step4, when the user permission changes due to some reasons, for example, the user does not have permission to access the service system, or the accessible service resource changes, the authentication system needs to make all jwt values before jwt _ vers ion = v1 invalid, the authentication system updates the jwt _ vers ion values corresponding to the user _ id and the jwt _ vers ion association table according to the user _ id, executes jwt _ vers ion = jwt _ vers ion +1, assumes the latest value is v3, and simultaneously notifies the service system that the latest jwt _ vers ion version number of the user is v3; and after receiving the notification of the authentication system, the service system updates the jwt _ vers ion value corresponding to the local user _ id and the jwt _ vers ion association table to be v3 according to the user _ id.
step5, the client carries the original jwt to request the service system, and the service system refuses the access because the jwt _ vers ion value v1 in the payload is smaller than the jwt _ vers ion value v3 of the local corresponding user of the service system.
step6, the client-side sends the login request to the authentication system again, acquires the latest jwt, and executes step3.
The above-mentioned embodiments only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention.
Claims (4)
1. A jwt failure management method, comprising:
in an authentication system and a service system, respectively establishing an association relation table of user unique identification user _ id and jwt _ version of the latest version number of jwt, which are respectively called an authentication system user-jwt version number association table and a service system user-jwt version number association table;
when the authentication system verifies that the login request of the client is legal, the unique identification user _ id of the user and the jwt _ version of the latest version number of the corresponding jwt are stored in the data payload part of the jwt and returned to the client;
when a client carries a jwt request service system issued before permission change, the service system finds a jwt _ version value v2 of a latest version number corresponding to u1 in a local service system user-jwt version number association table according to a user _ id value u1 and a jwt _ version value v1 analyzed from a jwt data payload, and if v2< = v1, the jwt request of the current request is not invalid, the service system performs subsequent processing on the request; if v2> v1, indicating that jwt has failed, the service system denies access.
2. The jwt failure management method of claim 1, further comprising:
when the authority of the user changes, the authentication system updates a local authentication system user-jwt version number association table, and executes jwt _ version = jwt _ version +1 on the version number jwt _ version of the corresponding user-id; and informing the corresponding service system of the value of the latest version number jwt _ version of the user _ id, and updating the version number jwt _ version of the local service system user-jwt version number association table by the service system according to the user _ id to be the value of the informed latest version number jwt _ version.
3. The jwt failure management method according to claim 1 or 2, wherein if v2< v1, the service system updates the jwt _ version value corresponding to the user _ id in the local service system user-jwt version number association table to v1.
4. The jwt failure management method according to claim 1, wherein in the authentication system user-jwt version number association table and the service system user-jwt version number association table, the version number jwt _ version is positive integer type data, and an initialization default value thereof is 0.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211424515.5A CN115766213A (en) | 2022-11-15 | 2022-11-15 | jwt failure management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211424515.5A CN115766213A (en) | 2022-11-15 | 2022-11-15 | jwt failure management method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766213A true CN115766213A (en) | 2023-03-07 |
Family
ID=85370814
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211424515.5A Pending CN115766213A (en) | 2022-11-15 | 2022-11-15 | jwt failure management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766213A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110276197A (en) * | 2019-06-25 | 2019-09-24 | 四川长虹电器股份有限公司 | The method to be come into force in real time based on shared blacklist revocation JWT token |
| JP2020030759A (en) * | 2018-08-24 | 2020-02-27 | キヤノン株式会社 | Authority transfer system, information processing apparatus, control method therefor, and program |
| CN111294337A (en) * | 2020-01-15 | 2020-06-16 | 平安科技(深圳)有限公司 | Token-based authentication method and device |
-
2022
- 2022-11-15 CN CN202211424515.5A patent/CN115766213A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2020030759A (en) * | 2018-08-24 | 2020-02-27 | キヤノン株式会社 | Authority transfer system, information processing apparatus, control method therefor, and program |
| CN110276197A (en) * | 2019-06-25 | 2019-09-24 | 四川长虹电器股份有限公司 | The method to be come into force in real time based on shared blacklist revocation JWT token |
| CN111294337A (en) * | 2020-01-15 | 2020-06-16 | 平安科技(深圳)有限公司 | Token-based authentication method and device |
Non-Patent Citations (1)
| Title |
|---|
| YAOPENGFEI: "第四十五节:复习session/Jwt原理、Jwt实操、Swagger中配置Jwt、Jwt撤回方案、双token方案", pages 5, Retrieved from the Internet <URL:https://www.cnblogs.com/yaopengfei/p/16328194.html> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3226506B1 (en) | Sophisitcated preparation of an authorization token | |
| US20180167397A1 (en) | Authorization Processing Method and Device | |
| CN110046001B (en) | Authorization withdrawal method and device | |
| CN109451061B (en) | Contract adjustment processing method and system for block chain | |
| US20120072721A1 (en) | Certificate Revocation | |
| CN110417730B (en) | Unified access method of multiple application programs and related equipment | |
| CN103117987B (en) | digital certificate updating method | |
| CN107846482B (en) | Domain name filing subsystem and domain name management system applying same | |
| US9722802B2 (en) | Method, apparatus, and system for increasing network security | |
| JP2013505497A (en) | Method and apparatus for verification of identification information | |
| CN112470444A (en) | Method and apparatus for revoking authorization to API callers | |
| CN101193103A (en) | A method and system for allocating and validating identity identifier | |
| CN111031074A (en) | Authentication method, server and client | |
| WO2023093500A1 (en) | Access verification method and apparatus | |
| US20220377556A1 (en) | Internet-of-things device registration method and apparatus, device, and storage medium | |
| US8200811B2 (en) | Automatic server administration of serial numbers in a replicated certificate authority topology | |
| CN105871963B (en) | Method and device for processing resource operation request | |
| CN111355986A (en) | Message processing method and device in live broadcast room and storage medium | |
| CN111209349A (en) | Method and device for updating session time | |
| CN111385256A (en) | Method, device, equipment and medium for migrating batch applications | |
| CN115766213A (en) | jwt failure management method | |
| CN113905031A (en) | Multifunctional HTTP service request preprocessing system and method | |
| CN113438082A (en) | Database access method, device, equipment and storage medium | |
| CN112861092B (en) | Method and system for realizing single-terminal login restriction based on JWT authentication application | |
| CN110740122A (en) | method and device for improving data warehouse security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |