假如www.olcms.com/getUserInfo获取用户信息,你怎么知道当前用户是谁?有人说登陆时候我把他UID写入session了,如果是API接口,没有session怎么办,那么就需要把UID带到参数里面,如果直接带里面,安全怎么办?所以我们需要加密成别人看不懂的字符串,这就是JWT(JSON WEB TOKEN),你可以把它理解为微信SDK中的access token(其实本身就是一样的东西).JWT加密和解密你自己写也行,不过没有必要重复造*,我们在github上搜一下jwt,我搜到一个lcobucci/jwt,看起来用的人也挺多,好,下来我们大概用tp来演示下

下载tp3.2.3

安装lcobucci/jwt

新建composer.json

    {

    "name": "olcms jwt demo",

    "description": "just a jwt demo with tp",

    "type": "demo",

    "keywords": ["jwt","tp"],

    "homepage": "https://www.olcms.com/",

    "license": "Apache2",

    "authors": [

        {

            "name": "olcms",

            "email": "admin@olcms.com"

        }

    ],

    "require": {

        "lcobucci/jwt" : "*"

    }

}

composer update composer安装看 https://www.olcms.com/2015

打开index.php,在载入tp前载入comoposer的自动加载

//composer

require 'vendor/autoload.php';

// 引入ThinkPHP入口文件

require './ThinkPHP/ThinkPHP.php';

生成和使用jwt

IndexController.class.php

namespace Home\Controller;

use Think\Controller;

use Lcobucci\JWT\Builder;

class IndexController extends Controller {

    public function index(){

        $token = (new Builder())

                        ->set('uid', 1) // Configures a new claim, called "uid"

                        ->getToken(); // Retrieves the generated token

        echo $token; // The string representation of the object is a JWT string (pretty easy, right?)

    }

}

浏览器访问,我们看到生成的jwteyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1aWQiOjF9.刷新一下,发现什么?没变,恩，不够安全，我们再修改下代码

namespace Home\Controller;

use Think\Controller;

use Lcobucci\JWT\Builder;

use Lcobucci\JWT\Signer\Hmac\Sha256;

class IndexController extends Controller {

    public function index(){

        $signer = new Sha256();

        $token = (new Builder())

                        ->set('uid', 1) // Configures a new claim, called "uid"

                        ->setExpiration(time() + 3600)

                        ->sign($signer, 'olcms') // creates a signature using "testing" as key

                        ->getToken(); // Retrieves the generated token

        echo $token; // The string representation of the object is a JWT string (pretty easy, right?)

    }

}

生成的jwteyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsImV4cCI6MTQ2MDYwNjk0Mn0.GdbEXStqQR-5zofQVmorrB4U3yuyCYDdX-jFu58dPpY每次刷新也变- -

从jwt中获取信息

namespace Home\Controller;

use Think\Controller;

use Lcobucci\JWT\Builder;

use Lcobucci\JWT\Signer\Hmac\Sha256;

use Lcobucci\JWT\Parser;

class IndexController extends Controller {

    public function index(){

        $signer = new Sha256();

        $token = (new Builder())

                        ->set('uid', 1) // Configures a new claim, called "uid"

                        ->setExpiration(time() + 3600)

                        ->sign($signer, 'olcms') // creates a signature using "testing" as key

                        ->getToken(); // Retrieves the generated token

        echo $token; // The string representation of the object is a JWT string (pretty easy, right?)

        //从jwt获取信息

        $token = (new Parser())->parse((string) $token); // Parses from a string

        echo $token->getClaim('uid'); // will print "1"

    }

}

大概逻辑

用户登录,服务器生成jwt,放入memcache等缓存并返回jwt,client所有请求都必须带jwt