php 如何正确使用 Bearer 代币?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/40582161/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to properly use Bearer tokens?
提问by Ashish Ranjan
I'm making an authorization system in PHP, and I came across this Bearer scheme of passing JWT tokens, I read RFC 6750. I've got the following doubts:
我正在制作一个授权系统PHP,我遇到了这个传递 JWT 令牌的承载方案,我阅读了RFC 6750。我有以下疑问:
- How is this improving the security?
- The server responses the client with a JWT token in its body after a successful authorization and login, and now when the client makes another request, I am not clear how to actually do that, I want to send token from client in Authorization header in the request, so now should I just prefix "Bearer" to the token which I received in the previous response from the server and If yes, then server on receiving the Authorization header, should just split the string with space, and take the second value from the obtained array and then decode it? For example
Authorization: Bearer fdbghfbfgbjhg_something, how is server supposed to handle this,decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])?
- 这如何提高安全性?
- 成功授权和登录后,服务器在其正文中使用 JWT 令牌响应客户端,现在当客户端发出另一个请求时,我不清楚如何实际执行此操作,我想在授权标头中从客户端发送令牌请求,所以现在我应该在我从服务器的上一个响应中收到的令牌前加上“Bearer”前缀,如果是,那么服务器在接收到 Authorization 标头时,应该只用空格分割字符串,并从得到的数组然后解码呢?例如
Authorization: Bearer fdbghfbfgbjhg_something,服务器应该如何处理这个,decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])?
回答by Ng? V?n Thao
1.Improving the security because if token is not sent in the header that sent in url, it will be logged by the network system, the server log ....
1.提高安全性,因为如果在url中发送的header中没有发送token,它将被网络系统记录,服务器日志......
2.A good function to get Bearer tokens
2.一个很好的获取Bearer token的功能
/**
* Get header Authorization
* */
function getAuthorizationHeader(){
$headers = null;
if (isset($_SERVER['Authorization'])) {
$headers = trim($_SERVER["Authorization"]);
}
else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
} elseif (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
//print_r($requestHeaders);
if (isset($requestHeaders['Authorization'])) {
$headers = trim($requestHeaders['Authorization']);
}
}
return $headers;
}
/**
* get access token from header
* */
function getBearerToken() {
$headers = getAuthorizationHeader();
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
return $matches[1];
}
}
return null;
}
回答by Unkn0wn0x
I would recommend to use the following RegEx to check, if it's a valid jwt-token:
我建议使用以下 RegEx 来检查它是否是有效的 jwt-token:
/Bearer\s((.*)\.(.*)\.(.*))/
and access it also with matches[1].
并使用matches[1]访问它。
This is the structure of a JWT-Token, see: https://jwt.io/
