Skip to content

Latest commit

ย 

History

History
74 lines (59 loc) ยท 4.83 KB

JWT(JSON Web Token).md

File metadata and controls

74 lines (59 loc) ยท 4.83 KB

JWT (JSON Web Token)

JSON Web Tokens are an open, industry standard [RFC 7519]
method for representing claims securely between two parties.
์ถœ์ฒ˜ : https://jwt.io

JWT๋Š” ์›นํ‘œ์ค€(RFC 7519)์œผ๋กœ์„œ ๋‘ ๊ฐœ์ฒด์—์„œ JSON ๊ฐ์ฒด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๊ฐ€๋ณ๊ณ  ์ž๊ฐ€์ˆ˜์šฉ์ ์ธ ๋ฐฉ์‹์œผ๋กœ ์ •๋ณด๋ฅผ ์•ˆ์ „์„ฑ ์žˆ๊ฒŒ ์ „๋‹ฌํ•ด์ค๋‹ˆ๋‹ค.

๊ตฌ์„ฑ์š”์†Œ

JWT๋Š” . ์„ ๊ตฌ๋ถ„์ž๋กœ 3๊ฐ€์ง€์˜ ๋ฌธ์ž์—ด๋กœ ๊ตฌ์„ฑ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

aaaa.bbbbb.ccccc ์˜ ๊ตฌ์กฐ๋กœ ์•ž๋ถ€ํ„ฐ ํ—ค๋”(header), ๋‚ด์šฉ(payload), ์„œ๋ช…(signature)๋กœ ๊ตฌ์„ฑ๋ฉ๋‹ˆ๋‹ค.

ํ—ค๋” (Header)

ํ—ค๋”๋Š” typ์™€ alg ๋‘๊ฐ€์ง€์˜ ์ •๋ณด๋ฅผ ์ง€๋‹ˆ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. typ๋Š” ํ† ํฐ์˜ ํƒ€์ž…์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. JWT์ด๊ธฐ์— "JWT"๋ผ๋Š” ๊ฐ’์ด ๋“ค์–ด๊ฐ‘๋‹ˆ๋‹ค. alg : ํ•ด์‹ฑ ์•Œ๊ณ ๋ฆฌ์ฆ˜์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ HMAC, SHA256, RSA๊ฐ€ ์‚ฌ์šฉ๋˜๋ฉด ํ† ํฐ์„ ๊ฒ€์ฆ ํ•  ๋•Œ ์‚ฌ์šฉ๋˜๋Š” signature๋ถ€๋ถ„์—์„œ ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค.

{
	"typ" : "JWT",
	"alg" : "HS256"
}

์ •๋ณด(payload)

Payload ๋ถ€๋ถ„์—๋Š” ํ† ํฐ์„ ๋‹ด์„ ์ •๋ณด๊ฐ€ ๋“ค์–ด์žˆ์Šต๋‹ˆ๋‹ค. ์ •๋ณด์˜ ํ•œ ์กฐ๊ฐ์„ ํด๋ ˆ์ž„(claim)์ด๋ผ๊ณ  ๋ถ€๋ฅด๊ณ , ์ด๋Š” name / value์˜ ํ•œ ์Œ์œผ๋กœ ์ด๋ค„์ ธ์žˆ์Šต๋‹ˆ๋‹ค. ํ† ํฐ์—๋Š” ์—ฌ๋Ÿฌ๊ฐœ์˜ ํด๋ ˆ์ž„๋“ค์„ ๋„ฃ์„ ์ˆ˜ ์žˆ์ง€๋งŒ ๋„ˆ๋ฌด ๋งŽ์•„์งˆ๊ฒฝ์šฐ ํ† ํฐ์˜ ๊ธธ์ด๊ฐ€ ๊ธธ์–ด์งˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

ํด๋ ˆ์ž„์˜ ์ข…๋ฅ˜๋Š” ํฌ๊ฒŒ ์„ธ๋ถ„๋ฅ˜๋กœ ๋‚˜๋ˆ„์–ด์ง‘๋‹ˆ๋‹ค.

  1. ๋“ฑ๋ก๋œ(registered) ํด๋ ˆ์ž„ ๋“ฑ๋ก๋œ ํด๋ ˆ์ž„๋“ค์€ ์„œ๋น„์Šค์—์„œ ํ•„์š”ํ•œ ์ •๋ณด๋“ค์ด ์•„๋‹Œ, ํ† ํฐ์— ๋Œ€ํ•œ ์ •๋ณด๋“ค์„ ๋‹ด๊ธฐ์œ„ํ•˜์—ฌ ์ด๋ฆ„์ด ์ด๋ฏธ ์ •ํ•ด์ง„ ํด๋ ˆ์ž„๋“ค์ž…๋‹ˆ๋‹ค. ๋“ฑ๋ก๋œ ํด๋ ˆ์ž„์˜ ์‚ฌ์šฉ์€ ๋ชจ๋‘ ์„ ํƒ์ (optional)์ด๋ฉฐ, ์ด์— ํฌํ•จ๋œ ํฌ๋ ˆ์ž„ ์ด๋ฆ„๋“ค์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.
  • iss : ํ† ํฐ ๋ฐœ๊ธ‰์ž (issuer)
  • sub : ํ† ํฐ ์ œ๋ชฉ (subject)
  • aud : ํ† ํฐ ๋Œ€์ƒ์ž (audience)
  • exp : ํ† ํฐ์˜ ๋งŒ๋ฃŒ์‹œ๊ฐ„(expiration), ์‹œ๊ฐ„์€ NumericDate ํ˜•์‹์œผ๋กœ ๋˜์–ด์žˆ์–ด์•ผ ํ•˜๋ฉฐ ์–ธ์ œ๋‚˜ ํ˜„์žฌ ์‹œ๊ฐ„๋ณด๋‹ค ์ดํ›„๋กœ ์„ค์ •๋˜์–ด ์žˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
  • nbf : Not before์„ ์˜๋ฏธํ•˜๋ฉฐ, ํ† ํฐ์˜ ํ™œ์„ฑ ๋‚ ์งœ์™€ ๋น„์Šทํ•œ ๊ฐœ๋…์ž…๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์—๋„ NumericDateํ˜•์‹์œผ๋กœ ๋‚ ์งœ๋ฅผ ์ง€์ •ํ•˜๋ฉฐ, ์ด ๋‚ ์งœ๊ฐ€ ์ง€์ •ํ•˜๋ฉฐ, ์ด ๋‚ ์งœ๊ฐ€ ์ง€๋‚˜๊ธฐ ์ „๊นŒ์ง€๋Š” ํ† ํฐ์ด ์ฒ˜๋ฆฌ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.
  • iat : ํ† ํฐ์ด ๋ฐœ๊ธ‰๋œ ์‹œ๊ฐ„(issued at), ์ด ๊ฐ’์„ ์‚ฌ์šฉํ•˜์—ฌ ํ† ํฐ์˜ age๊ฐ€ ์–ผ๋งˆ๋‚˜ ๋˜์—ˆ๋Š”์ง€ ํŒ๋‹จ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • jti : JWT์˜ ๊ณ ์œ  ์‹๋ณ„์ž๋กœ์„œ, ์ฃผ๋กœ ์ค‘๋ณต์ ์ธ ์ฒ˜๋ฆฌ๋ฅผ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•˜์—ฌ ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค. ์ผํšŒ์šฉ ํ† ํฐ์— ์‚ฌ์šฉํ•˜๋ฉด ์œ ์šฉํ•ฉ๋‹ˆ๋‹ค.
  1. ๊ณต๊ฐœ(public) ํด๋ ˆ์ž„ ๊ณต๊ฐœ ํด๋ ˆ์ž„๋“ค์€ ์ถฉ๋Œ์ด ๋ฐฉ์ง€๋œ(collision-resistant)์ด๋ฆ„์„ ๊ฐ€์ง€๊ณ  ์žˆ์–ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ถฉ๋Œ์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š”, ํด๋ ˆ์ž„ ์ด๋ฆ„์„ URIํ˜•์‹์œผ๋กœ ์ง“์Šต๋‹ˆ๋‹ค.
{
	"https://chup.tistory.com/jwt_claims/is_admin" : true
}
  1. ๋น„๊ณต๊ฐœ(private) ํด๋ ˆ์ž„ ๋“ฑ๋ก๋œ ํด๋ ˆ์ž„๋„ ์•„๋‹ˆ๊ณ , ๊ณต๊ฐœ๋œ ํด๋ ˆ์ž„๋“ค๋„ ์•„๋‹™๋‹ˆ๋‹ค. ์–‘ ์ธก๊ฐ„์—(๋ณดํ†ต ํด๋ผ์ด์–ธํŠธ <-> ์„œ๋ฒ„) ํ•ฉ์˜ํ•˜์— ์‚ฌ์šฉ๋˜๋Š” ํด๋ ˆ์ž„ ์ด๋ฆ„๋“ค์ž…๋‹ˆ๋‹ค. ๊ณต๊ฐœ ํด๋ ˆ์ž„๊ณผ๋Š” ๋‹ฌ๋ฆฌ ์ด๋ฆ„์ด ์ค‘๋ณต๋˜์–ด ์ถฉ๋Œ์ด ๋  ์ˆ˜ ์žˆ์œผ๋‹ˆ ์‚ฌ์šฉํ• ๋•Œ์— ์œ ์˜ํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.

์„œ๋ช…(signature)

์„œ๋ช…์€ ํ—ค๋”์˜ ์ธ์ฝ”๋”ฉ๊ฐ’๊ณผ ์ •๋ณด์˜ ์ธ์ฝ”๋”ฉ๊ฐ’์„ ํ•ฉ์นœํ›„ ์ฃผ์–ด์ง„ ๋น„๋ฐ€ํ‚ค๋กœ ํ•ด์‰ฌ๋ฅผ ํ•˜์—ฌ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค. ์ด๋ ‡๊ฒŒ ๋งŒ๋“  ํ•ด์‰ฌ๋ฅผ base64ํ˜•ํƒœ๋กœ ๋‚˜ํƒ€๋‚ด๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.


๋กœ๊ทธ์ธ ์ธ์ฆ์‹œ JWT ์‚ฌ์šฉ

๋งŒ์•ฝ ์œ ํšจ๊ธฐ๊ฐ„์ด ์งง์€ Token์„ ๋ฐœ๊ธ‰ํ•˜๊ฒŒ๋˜๋ฉด ์‚ฌ์šฉ์ž ์ž…์žฅ์—์„œ ์ž์ฃผ ๋กœ๊ทธ์ธ์„ ํ•ด์•ผํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋ฒˆ๊ฑฐ๋กญ๊ณ  ๋ฐ˜๋Œ€๋กœ ์œ ํšจ๊ธฐ๊ฐ„์ด ๊ธด Token์„ ๋ฐœ๊ธ‰ํ•˜๊ฒŒ๋˜๋ฉด ์ œ 3์ž์—๊ฒŒ ํ† ํฐ์„ ํƒˆ์ทจ๋‹นํ•  ๊ฒฝ์šฐ ๋ณด์•ˆ์— ์ทจ์•ฝํ•˜๋‹ค๋Š” ์•ฝ์ ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ ์ ๋“ค์„ ๋ณด์™„ํ•˜๊ธฐ ์œ„ํ•ด Refresh Token ์„ ์‚ฌ์šฉํ•˜๊ฒŒ ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. Refresh Token์€ Access Token๊ณผ ๋˜‘๊ฐ™์€ JWT์ž…๋‹ˆ๋‹ค. Access Token์˜ ์œ ํšจ๊ธฐ๊ฐ„์ด ๋งŒ๋ฃŒ๋˜์—ˆ์„ ๋•Œ, Refresh Token์ด ์ƒˆ๋กœ ๋ฐœ๊ธ‰ํ•ด์ฃผ๋Š” ์—ด์‡ ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, Refresh Token์˜ ์œ ํšจ๊ธฐ๊ฐ„์€ 1์ฃผ, Access Token์˜ ์œ ํšจ๊ธฐ๊ฐ„์€ 1์‹œ๊ฐ„์ด๋ผ๊ณ  ํ•œ๋‹ค๋ฉด, ์‚ฌ์šฉ์ž๋Š” Access Token์œผ๋กœ 1์‹œ๊ฐ„๋™์•ˆ API์š”์ฒญ์„ ํ•˜๋‹ค๊ฐ€ ์‹œ๊ฐ„์ด ๋งŒ๋ฃŒ๋˜๋ฉด Refresh Token์„ ์ด์šฉํ•˜์—ฌ ์ƒˆ๋กญ๊ฒŒ ๋ฐœ๊ธ‰ํ•ด์ค๋‹ˆ๋‹ค. ์ด ๋ฐฉ๋ฒ•๋˜ํ•œ Access Token์ด ํƒˆ์ทจ๋‹นํ•œ๋‹คํ•ด๋„ ์ •๋ณด๊ฐ€ ์œ ์ถœ์ด ๋˜๋Š”๊ฑธ ๋ง‰์„ ์ˆ˜ ์—†์ง€๋งŒ, ๋” ์งง์€ ์œ ํšจ๊ธฐ๊ฐ„๋•Œ๋ฌธ์— ํƒˆ์ทจ๋˜๋Š” ๊ฐ€๋Šฅ์„ฑ์ด ์ ๋‹ค๋Š” ์ ์„ ์ด์šฉํ•œ ๊ฒƒ์ž…๋‹ˆ๋‹ค. Refresh Token๋˜ํ•œ ์œ ํšจ๊ธฐ๊ฐ„์ด ๋งŒ๋ฃŒ๋๋‹ค๋ฉด, ์‚ฌ์šฉ์ž๋Š” ์ƒˆ๋กœ ๋กœ๊ทธ์ธํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. Refresh Token๋„ ํƒˆ์ทจ ๋  ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์ ์ ˆํ•œ ์œ ํšจ๊ธฐ๊ฐ„ ์„ค์ •์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.


Access Token + Refresh Token ์ธ์ฆ ๊ณผ์ •



[์ฐธ๊ณ  ์ž๋ฃŒ]