node.js 如何在 JWT 中使用 jti 声明
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28907831/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use jti claim in a JWT
提问by nw.
The JWT spec mentions a jti claim which allegedly can be used as a nonce to prevent replay attacks:
JWT 规范提到了一个 jti 声明,据称可以将其用作随机数来防止重放攻击:
The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The jti claim can be used to prevent the JWT from being replayed. The jti value is a case-sensitive string. Use of this claim is OPTIONAL.
jti (JWT ID) 声明为 JWT 提供唯一标识符。标识符值的分配方式必须确保相同的值被意外分配给不同的数据对象的可能性可以忽略不计;如果应用程序使用多个发行者,则还必须防止不同发行者产生的值之间发生冲突。jti 声明可用于防止重放 JWT。jti 值是区分大小写的字符串。此声明的使用是可选的。
My question is how would I go about implementing this? Do I need to store the previously used jtis and issue a new JWT with every request? If so, doesn't this defeat the purpose of JWTs? Why use a JWT instead of just storing a randomly-generated session ID in a database?
我的问题是我将如何实施这个?我是否需要存储以前使用的 jtis 并为每个请求发出一个新的 JWT?如果是这样,这不是违背了 JWT 的目的吗?为什么要使用 JWT 而不是将随机生成的会话 ID 存储在数据库中?
My REST API has a mongo database and I'm not opposed to adding a redis instance. Is there a better authentication option than JWT? I mainly just don't want to store passwords on the client which eliminates HTTP authentication as an option, however, as I'm getting deeper into this JWT stuff I'm starting to feel as if a custom token implementation or different standard might better suit my needs. Are there any node/express packages for token based authentication that supports token revocation and rotating tokens?
我的 REST API 有一个 mongo 数据库,我不反对添加一个 redis 实例。有比 JWT 更好的身份验证选项吗?我主要只是不想在客户端上存储密码,这会消除 HTTP 身份验证作为一种选择,但是,随着我对 JWT 的研究越来越深入,我开始觉得自定义令牌实现或不同的标准可能会更好适合我的需要。是否有支持令牌撤销和轮换令牌的基于令牌的身份验证的节点/快递包?
Would appreciate any advice.
将不胜感激任何建议。
采纳答案by Gert Hengeveld
Indeed, storing all issued JWT IDs undermines the stateless nature of using JWTs. However, the purpose of JWT IDs is to be able to revoke previously-issued JWTs. This can most easily be achieved by blacklisting instead of whitelisting. If you've included the "exp" claim (you should), then you can eventually clean up blacklisted JWTs as they expire naturally. Of course you can implement other revocation options alongside (e.g. revoke all tokens of one client based on a combination of "iat" and "aud").
实际上,存储所有已发布的 JWT ID 会破坏使用 JWT 的无状态特性。但是,JWT ID 的目的是能够撤销先前发布的 JWT。这最容易通过黑名单而不是白名单来实现。如果您已经包含了“exp”声明(您应该这样做),那么您最终可以清除列入黑名单的 JWT,因为它们会自然过期。当然,您可以同时实施其他撤销选项(例如,根据“iat”和“aud”的组合撤销一个客户端的所有令牌)。
回答by Yves M.
You can use express-jwt package
您可以使用 express-jwt 包
See express-jwt on GitHubor on NPM.
Express-jwt handles revoked tokensas described here: https://github.com/auth0/express-jwt#revoked-tokens
Express-jwt 处理撤销的令牌,如下所述:https: //github.com/auth0/express-jwt#revoked-tokens
var jwt = require('express-jwt');
var data = require('./data');
var utilities = require('./utilities');
var isRevokedCallback = function(req, payload, done){
var issuer = payload.iss;
var tokenId = payload.jti;
data.getRevokedToken(issuer, tokenId, function(err, token){
if (err) { return done(err); }
return done(null, !!token);
});
};
app.get('/protected',
jwt({secret: shhhhhhared-secret,
isRevoked: isRevokedCallback}),
function(req, res) {
if (!req.user.admin) return res.send(401);
res.send(200);
});
You can also read part 4. How do we avoid adding overhead?from this oauth0 blog post.
您还可以阅读第 4 部分。我们如何避免增加开销?来自这篇 oauth0 博客文章。
