JSON Web签名(JWS)和JSON Web令牌(JWT)有什么区别? [英] What is the difference between JSON Web Signature (JWS) and JSON Web Token (JWT)?
问题描述
我一直在用Java编写RESTful服务.这是我到目前为止所了解的(如果我错了,请纠正我):
I've been coding a RESTful service in Java. This is what I've understood till now (correct me if i'm wrong):
令牌授权是通过 JSON Web令牌(JWT)完成的,该令牌包含三个部分:标头,有效负载和密钥(在客户端和服务器之间共享).
Token authorization is done using JSON Web Tokens (JWT) which have three parts: the header, the payload, and the secret (shared between the client and the server).
我了解这个概念,并在阅读有关JWT时偶然发现了 JSON Web签名(JWS).
I understood this concept and stumbled over JSON Web Signature (JWS) while reading about JWT.
JWS也是类似于JWT的编码实体,具有标头,有效负载和共享机密.
JWS also is an encoded entity similar to JWT having a header, payload, and a shared secret.
问题::JWT和JWS这两个概念之间有什么区别?如果他们在技术上相似,那么他们的实现有什么区别?
Question: What is the difference between the two concepts, namely JWT and JWS? And if they are alike technically, then what's the difference in their implementation?
这是我第一次使用基于令牌的身份验证,因此有可能我完全误解了这个概念.
This is the first time I'm working with token based auth, so it's possible I've misunderstood the concept altogether.
P.S.在浏览此网站上的示例时,我了解了JWS.
P.S. I learned about JWS while browsing through the examples on this website.
推荐答案
JWT实际上使用 JWS作为其签名,根据规范:
JWT actually uses JWS for its signature, from the spec:
JSON Web令牌(JWT)是一种紧凑的,URL安全的表示方式 声称在两方之间转移. JWT中的要求是 编码为JavaScript对象表示法(JSON)对象,用作 JSON Web签名(JWS)结构的有效负载或作为 JSON Web加密(JWE)结构的纯文本,从而启用了 声称是经过数字签名或MAC和/或加密的.
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted.
因此,JWT是一个以JSON对象作为有效负载的JWS结构.已经定义了一些可选键(或声明),例如iss,aud,exp等.
So a JWT is a JWS structure with a JSON object as the payload. Some optional keys (or claims) have been defined such as iss, aud, exp etc.
这还意味着其完整性保护不仅限于共享机密,还可以使用公共/专用密钥加密.
This also means that its integrity protection is not just limited to shared secrets but public/private key cryptography can also be used.
这篇关于JSON Web签名(JWS)和JSON Web令牌(JWT)有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
