JSON Web 签名 (JWS) 和 JSON Web 令牌 (JWT) 有什么区别? [英] What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?

问题描述

我一直在用 Java 编写一个 RESTful 服务.这是我到目前为止所理解的(如果我错了，请纠正我):

I've been coding a RESTful service in Java. This is what I've understood till now (correct me if i'm wrong):

令牌授权是使用 JSON Web 令牌 (JWT) 完成的，它包含三个部分:标头、有效负载和密钥(在客户端和服务器之间共享).

Token authorization is done using JSON Web Tokens (JWT) which have three parts: the header, the payload, and the secret (shared between the client and the server).

我理解了这个概念，并在阅读 JWT 时偶然发现了 JSON Web Signature (JWS).

I understood this concept and stumbled over JSON Web Signature (JWS) while reading about JWT.

JWS 也是一个类似于 JWT 的编码实体，具有标头、有效负载和共享密钥.

JWS also is an encoded entity similar to JWT having a header, payload, and a shared secret.

问题: JWT和JWS这两个概念有什么区别?如果它们在技术上相似，那么它们的实现有什么区别?

Question: What is the difference between the two concepts, namely JWT and JWS? And if they are alike technically, then what's the difference in their implementation?

这是我第一次使用基于令牌的身份验证，所以我可能完全误解了这个概念.

This is the first time I'm working with token based auth, so it's possible I've misunderstood the concept altogether.

附:我在浏览本网站上的示例时了解了 JWS.

P.S. I learned about JWS while browsing through the examples on this website.

推荐答案

JWT 实际上 使用 JWS 作为其签名，来自 规范摘要:

JWT actually uses JWS for its signature, from the spec's abstract:

JSON Web Token (JWT) 是一种紧凑的、URL 安全的表示方式要求在两方之间转让.JWT 中的声明是编码为 JavaScript 对象表示法 (JSON) 对象，用作JSON Web 签名 (JWS) 结构的有效负载或作为JSON Web 加密 (JWE) 结构的明文，启用声称经过数字签名或 MAC 化和/或加密.

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.

因此，JWT 是一个以 JSON 对象作为有效负载的 JWS 结构.已经定义了一些可选键(或声明)，例如 iss、aud、exp 等.

So a JWT is a JWS structure with a JSON object as the payload. Some optional keys (or claims) have been defined such as iss, aud, exp etc.

这也意味着它的完整性保护不仅限于共享机密，还可以使用公钥/私钥加密.

This also means that its integrity protection is not just limited to shared secrets but public/private key cryptography can also be used.

这篇关于JSON Web 签名 (JWS) 和 JSON Web 令牌 (JWT) 有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！