§

Liƙa JWT ɗinka

Bincike da tabbatarwa ta sa hannu duk suna gudana a gida. Ba a aika komi game da token zuwa mai gaba.
§

Taken

json
§

Abun Ciki

json
§

Tabbatar da sa hannu

Shigar da sirrin don tabbatar da sa hannu.

JSON Web Tokens sune ginshiƙin tabbatarwa a cikin sabis da yawa a Najeriya da Afirka — daga AWS Cognito ID tokens, zuwa Auth0 da Okta access tokens. Ƙungiyoyin fasahar kuɗi masu aiki ƙarƙashin tsarin kudade na buɗe suna dogara ga jakar RFC 7519 guda ɗaya. Wannan mai rarraba yana raba ɓangarorin Base64URL uku a cikin burauzarka, yana fitar da header, payload, da sa hannu, kuma yana rarraba da'awace na daidai kamar `exp`, `iat`, da `nbf` tare da nuna lokaci-yanki daidai — ba tare da token ɗin mai ɗaukar ka ya taɓa barin taba ko bayyana a cikin rajistan ayyukan gefen mai gaba ba.

// Kayan Aiki Masu Alaƙa

./base64-decoder
Base64 Mai Tantancewa
Duba ɓangarorin header da payload da aka sanya lambar base64url a wajen jakar JWT.
./url-decoder
Mai Buɗe URL
Fitar da JWTs daga kirtanin tambaya da aka sanya kashi da URL na sake-kai.
./json-formatter
Mai Tsara JSON
Buga da kyau da tabbatar da payload da aka rarraba a matsayin JSON mai zaman kansa.
./
Duk Kayan Aikin
Duba cikakken jerin kayan aikin Ultim8Soft na intanet.

Menene JSON Web Token?

JSON Web Token (JWT) jakar da aka haɗa, mai aminci da URL don ƙaramin nauyin aiki na da'awace ce. Tsarin tabbatarwa na daidai ne don zaman yanar gizo maras hali, OAuth/OIDC ID tokens, tabbatarwar API daga injina-zuwa-injina, da hanyoyin sihiri masu sanya hannu. JWT koyaushe ɓangarori uku na base64url ne da aka haɗa da tabo: header.payload.signature. Header da payload JSON ne; sa hannu MAC na binary ne ko sa hannu na dijital akan ɓangarori biyu na farko.

Yaya JWTs ke aiki?

Lokacin da wannan kayan aiki ya rarraba token yana tafiya hanya guda ɗaya ta mataki uku da kowane ɗakin karatu na JWT ke bi:

  1. Raba token akan tabo zuwa daidai ɓangarori uku marar komai. Duk wata siffa ta waje ta lalata ne.
  2. Rarraba Base64url ɓangare 0 da 1, sannan JSON.parse kowannensu. Header yana ɗaukar lissafi (alg) da nau'in token (typ). Payload yana ɗaukar da'awace (sub, exp, iat, makullan al'ada).
  3. Idan an samar da sirrin, sake ƙididdiga MAC akan <segment0>.<segment1> ta amfani da lissafi a cikin header. Kwatanta baits da ɓangare na uku.
  4. Fitar da sakamakon tabbatarwa tare da da'awace da aka rarraba, ciki har da mai nuna ƙarewar da za a iya karanta ta ɗan adam da aka ƙididdiga daga da'awa ta exp.

Me ya sa rarraba JWTs a cikin burauzar?

Liƙa JWT mai amfani a gaske zuwa mai warware kwaro mai nisa yana zubar da tabbatarwa zuwa rajistan ayyukan wannan sabis, tafiya ta lura, da duk wani abokin tarayya da sabis yana aika bayanai zuwa gare shi. Ko da shafin ɓangare na uku ya yi da'awar ba ya yin rajista na tokens, ba ka da hanyar tabbatarwa. An gina wannan kayan aiki don ba za ka taɓa buƙatar yin wannan sulhu ba:

  • Sifili na cibiyar sadarwa: lokacin aiki ba shi da kiran fetch, XMLHttpRequest, ko sendBeacon. Buɗe DevTools yayin da kake rarraba da tabbatarwa — allo na Cibiyar Sadarwa yana zama a shiru.
  • Web Crypto na asali: tabbatarwa ta HMAC yana amfani da crypto.subtle.importKey da crypto.subtle.sign, farkon farko guda ɗaya da lokacin aiki ɗinka zai kira.
  • Tura mai tsauri: kowane shafi fayil ɗin HTML mai tsauri ne na guda ɗaya ba tare da ƙarshen mai gaba don ɓata ba. Babu token don zubar da shi saboda babu mai gaba don zubar da shi zuwa gare shi.

Menene wannan kayan aiki ke tabbatarwa, kuma menene ba ya tabbatarwa?

Sigar 1 na wannan kayan aiki yana tabbatar da sa hannu na iyalin HMAC-SHA kawai. Concretely:

  • Ana goyan bayan: HS256, HS384, HS512. Samar da sirrin da aka raba kuma kayan aikin zai sake ƙididdiga da kwatanta MAC.
  • Har yanzu ba a goyan bayan: RS256/384/512 (RSA), ES256/384/512 (ECDSA), EdDSA, da PS256/384/512 (RSA-PSS). Waɗannan suna buƙatar makulli na jama'a a cikin siffa ta PEM ko JWK kuma an ƙetare su da gangan zuwa fitar mai zuwa.
  • An ƙi: alg: "none". Kayan aikin yana rarraba token amma yana nuna shi a bayyane a matsayin mai haɗari — babu tabbatarwa ta sa hannu da ke faruwa, kuma duk wani tsarin samarwa da ke karɓar irin wannan token yana da rauni mai tsanani.

Yaya misali na rarraba JWT ke kama?

Liƙa token misali na RFC 7519 na al'ada cikin filin shigarwa a sama:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header yana rarrabewa zuwa {"alg":"HS256","typ":"JWT"} kuma payload zuwa {"sub":"1234567890","name":"John Doe","iat":1516239022}. Shigar da your-256-bit-secret a cikin allo na tabbatarwa kuma duba sa hannu yana dawo da mai inganci. Canza harafi guda ɗaya na sirrin kuma yana dawo da mara inganci. Babu daga cikin wannan da ke barin burauzarka.

Wannan shine JWT decoder da muke so ya wanzu lokacin da muka buƙaci warware kwaro na token a samarwa: yana girmama sirri, sauri, kuma an gina akan farkon farko guda ɗaya da lokacin aiki ke amfani da shi.