I trying to implement a token based authentication approach:
Every successful login creates new token.
If user selects "keep me logged in" or the user is using a mobile device, the token is persisted in a Redis database without an expiration date. Otherwise, the token will expire in 20 minutes.
Once user is authenticated, the token is checked from each subsequent request in my Redis database.
I'm wondering how I can identify devices. In case of mobile devices, I can use a device identifier. But how can I identify a browser?
Example: The user logs in using Chrome and selects "keep me logged in". A token is generated and persisted with the browser name in Redis. If the user logs in from Firefox, saves the token and "Firefox" in the database. I save the token in Redis whereas token is created on successful authentication. Is it fine to persist only the token and the browser where the token is being used? Or do I need to persist the IP as well?
Additional question: How to avoid attackers to steal the token from a cookie?
How token-based authentication works
In a few words, an authentication scheme based on tokens follow these steps:
- 客户端将其凭据(用户名和密码)发送到服务器.
- 服务器对凭据进行身份验证并生成令牌.
- 服务器将先前生成的令牌以及用户标识符和到期日期存储在某个存储器中.
- 服务器将生成的令牌发送给客户端.
- 在每个请求中,客户端都会将令牌发送到服务器.
- 服务器在每个请求中均从传入请求中提取令牌.服务器使用令牌来查找用户详细信息以执行身份验证和授权.
- The client sends their credentials (username and password) to the server.
- The server authenticates the credentials and generates a token.
- The server stores the previously generated token in some storage along with the user identifier and an expiration date.
- The server sends the generated token to the client.
- In every request, the client sends the token to the server.
- The server, in each request, extracts the token from the incoming request. With the token, the server looks up the user details to perform authentication and authorization.
- 如果令牌有效,则服务器接受请求.
- 如果令牌无效,则服务器拒绝该请求.
[...]从客户端到服务器的每个请求必须包含理解该请求所需的所有信息,并且不能利用服务器上任何已存储的上下文.因此,会话状态完全保留在客户端上. [...]
[...] each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client. [...]
When accessing protected resources that require authentication, each request must contain all necessary data to be properly authenticated/authorized. It means the authentication will be performed for each request.
请参见 RFC 7235 中的引号对于新的身份验证方案:
Have a look at this quote from the RFC 7235 regarding considerations for new authentication schemes:
HTTP身份验证框架的某些方面 限制了新的身份验证方案的工作方式:
There are certain aspects of the HTTP Authentication Framework that put constraints on how new authentication schemes can work:
- 假定HTTP身份验证是无状态的:所有 必须提供验证请求所需的信息 在请求中,而不是依赖于服务器的记忆 事先要求. [...]
- HTTP authentication is presumed to be stateless: all of the information necessary to authenticate a request MUST be provided in the request, rather than be dependent on the server remembering prior requests. [...]
并且身份验证数据(凭据)应属于标准HTTP Authorization
标头.来自 RFC 7235 :
And authentication data (credentials) should belong to the standard HTTP Authorization
header. From the RFC 7235:
标头字段允许用户代理进行身份验证 本身与原始服务器一起使用-通常(但不一定)在 收到401
(未经授权)响应.其值包括 包含用户身份验证信息的凭据 所请求资源领域的代理.
The Authorization
header field allows a user agent to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401
(Unauthorized) response. Its value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.
Authorization = credentials
请注意,此HTTP标头的名称很不幸,因为它包含 authentication 数据而不是 authorization .无论如何,这是用于发送凭据的标准标头.
Please note that the name of this HTTP header is unfortunate because it carries authentication data instead of authorization. Anyways, this is the standard header for sending credentials.
When performing a token based authentication, tokens are your credentials. In this approach, your hard credentials (username and password) are exchanged for a token that is sent in each request.
身份验证令牌是服务器生成的用于标识用户的一条数据.基本上,令牌可以是不透明(除了值本身,它不显示任何细节,例如随机字符串),也可以是自包含(例如 JSON Web令牌):
An authentication token is a piece of data generated by the server which identifies a user. Basically, tokens can be opaque (which reveals no details other than the value itself, like a random string) or can be self-contained (like JSON Web Token):
Random string: A token can be issued by generating a random string and persisting it to a database with an expiration date and with a user identifier associated to it.
JSON Web令牌(JWT):由 RFC 7519定义,这是一种在两方之间安全地表示索赔的标准方法. JWT是一个自包含的令牌,可让您在有效负载中存储用户标识符,有效期以及您想要的任何内容(但不存储密码),该内容为 JSON 编码为 Base64 .客户端可以读取有效负载,并且可以通过在服务器上验证其签名轻松地检查令牌的完整性.如果您不需要跟踪JWT令牌,则无需持久化它们.虽然如此,通过保留令牌,您将有可能使令牌无效并取消对其的访问.要跟踪JWT令牌,而不是永久保留整个令牌,可以保留令牌标识符( jti
声明)和一些元数据(您为其发出令牌的用户,到期日期等).要找到一些与JWT一起使用的出色资源,请查看 http://jwt.io .
JSON Web Token (JWT): Defined by the RFC 7519, it's a standard method for representing claims securely between two parties. JWT is a self-contained token and enables you to store a user identifier, an expiration date and whatever you want (but don't store passwords) in a payload, which is a JSON encoded as Base64. The payload can be read by the client and the integrity of the token can be easily checked by verifying its signature on the server. You won't need to persist JWT tokens if you don't need to track them. Althought, by persisting the tokens, you will have the possibility of invalidating and revoking the access of them. To keep the track of JWT tokens, instead of persisting the whole token, you could persist the token identifier (the jti
claim) and some metadata (the user you issued the token for, the expiration date, etc) if you need. To find some great resources to work with JWT, have a look at http://jwt.io.
Tip: Always consider removing old tokens in order to prevent your database from growing indefinitely.
You should never accept expired tokens or tokens which were not issued by your application. If you are using JWT, you must check the token signature.
请注意,一旦您发行了令牌并将其提供给客户,您将无法控制客户对令牌的处理方式. 没有控制权. 认真.
Please note, once you issue a token and give it to your client, you have no control over what the client will do with the token. No control. Seriously.
通常的做法是检查 User-Agent
It's a common practice to check the User-Agent
header field to tell which browser is being used to access your API. However, it's worth mention that HTTP headers can be easily spoofed and you should never trust your client. Browsers don't have unique identifier, but you can get a good level of fingerprinting if you want.
I don't know about your security requirements, but you always can try the following in your server to enhance the security of your API:
- 检查颁发令牌时用户使用的浏览器.如果以下请求中的浏览器不同,则拒绝令牌.
- 获取颁发令牌时的客户端远程地址(即客户端IP地址),并使用第三方API查找客户端位置.例如,如果以下请求来自其他国家/地区的地址,请拒绝该令牌.要按IP地址查找位置,可以尝试使用免费的API,例如 MaxMind GeoLite2 或 IPInfoDB .请注意,对于您的API收到的每个请求都命中第三方API并不是一个好主意,并且可能会对性能造成严重损害.但是,通过存储客户端远程地址及其位置,可以使用 cache 将影响降到最低.如今有一些缓存引擎可用.仅举几例:番石榴, Infinispan , Ehcache 和 Spring .
- Check which browser the user was using when the token was issued. If the browser is different in the following requests, just refuse the token.
- Get the client remote address (that is, the client IP address) when the token was issued and use a third party API to lookup the client location. If the following requests comes an address from other country, for example, refuse the token. To lookup the location by IP address, you can try free APIs such as MaxMind GeoLite2 or IPInfoDB. Mind that hitting a third party API for each request your API receives is not a good idea and can cause a severe damage to the performance. But you can minimize the impact with a cache, by storing the client remote address and its location. There are a few cache engines available nowadays. To mention a few: Guava, Infinispan, Ehcache and Spring.
When sending sensitive data over the wire, your best friend is HTTPS and it protects your application against the man-in-the-middle attack.
By the way, have I mentioned you should never trust your client?
这篇关于REST API中基于令牌的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!