我试图在身份验证的上下文中了解 RESTful API 中的无状态性.这是场景:
I am trying to understand statelessness in restful APIs in the context of authentication. Here's the scenario:
- 用户登录.
- 服务器验证用户名和密码,并生成一个不透明的访问令牌.它缓存了一些与此令牌相关的信息——例如,过期时间、userId、此令牌是否在过期前显式失效等.
- 令牌被发送给客户端,客户端在以后的每个请求中发送它.
Fielding's dissertation defines statelessness as:
"...such that each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client."
In my example, the client is sending the token with every request, so the first condition is satisfied. However, my server has a context associated with this session that is stored in the sessions cache.
Does this make my application stateful?
如果是,那么只有使用 JWT 才能实现真正的无状态吗?我在思考这个问题,因为 JWT 还很新,那么架构师在它们被发明之前是如何构建真正的无状态服务的呢?
If yes, then is it that true statelessness be achieved only if we are using JWTs? I am pondering upon this as JWTs are quite new, so how were architects building truly stateless services before they were invented?
That's right. If you you maintaining the session you are keeping the state in server which makes the application hard to scale. True stateless applications can be scaled out and any server should be able to handle the request.
JWT 是避免会话的流行方式,所有内容都封装在令牌中,任何服务器都可以对请求进行身份验证/授权并帮助我们实现无状态应用程序,它们有自己的挑战,但是 OpenID 连接是身份验证/授权的新方式.
JWT is popular way to avoid sessions and everything is encapsulated inside the token for any server to auth/Authorize the request and help us achieve stateless application, they come with their own challenges however OpenID connect is the new way for Auth/Authorization.
在使用 jwt 使应用程序无状态之前,我们将会话保存在数据库(或共享缓存)中,任何服务器想要检查会话都必须联系数据库.
Before jwt to make application stateless we used to keep session in DB (or Shared Cache) , and any server would like to check the session would have to contact DB.