问题描述

我们知道JWT内容是否被修改，服务器仅使用签名即可找到它.但是，如果JWT被黑客盗用并在未经修改的情况下使用，该怎么办?服务器如何验证JWT来自正确的客户端?

We know if the JWT content is modified, the server simply finds it using the signature. But what if the JWT is stolen and used by a hacker without modifying it? How the server verifies the JWT comes from the correct client?

我知道用户ID在JWT内，但是我仍然不确定服务器如何安全地确保JWT来自与JWT具有相同用户ID的客户端.

I know the user id is inside the JWT, but still I am not sure how the server can securely makes sure the JWT comes from the client who is having the same user id that is in the JWT.

推荐答案

黑客不能也不会修改令牌.因为令牌本身是安全的，并且是完全值得信任的.这就是JWT的本质.因此，如果没有其他信息，您将无法分辨出差异.

A hacker can't and won't modify the token. As the token itself is safe and is fully trusted. This is the nature of a JWT. So without additional information you can't tell the difference.

但是，您可以设计一种策略来保护您的资源.

You can however design a strategy to protect your resource.

最重要的是防止黑客窃取"令牌.当您始终通过安全线路发送令牌并将信息(如令牌)存储在安全的地方时，它会有所帮助.

Most important is to prevent a hacker from 'stealing' the token. It helps when you send the token always over a secured line and store information (like tokens) in a secured place.

使其不值得破解该令牌.使用短暂的令牌，例如五分钟或更短的时间.黑客持有令牌后，只会在短时间内提供访问权限.这就是可接受的损失".另一方面，不鼓励黑客，因为这样做不值得结果.

Make it not worthwhile to hack the token. Use short-lived tokens, like five minutes or less. When a hacker gets hold of a token it will only give access for a short period. This is the 'acceptable loss'. On the other hand the hacker is discouraged as the effort is not worth the result.

检测可疑行为.例如每秒100次匹配或具有相同令牌的不同IP地址.

Detect suspicious behaviour. Like hundred hits per second or varying ip addresses with the same token.

使用刷新令牌时，请检查请求方. IP地址在范围内吗?使用一次性刷新令牌.仅当客户端可以保守秘密时才允许刷新令牌.在刷新令牌上使用到期时间，这将迫使用户不时登录.

When using a refresh token, check the requesting party. Is the Ip address within range? Use one-time only refresh tokens. Only allow refresh tokens when the client can keep a secret. Use expiration on refresh tokens, this will force the user to login every now and then.

并将其他信息添加到令牌中的声明中.像ip地址，二手代理等，这些都是快速检查.

And add additional information to the claims in the token. Like the ip address, used agent, etc. These are quick checks.

如果IP地址与声明中的IP地址不同，请不要接受令牌.该应用将需要发送刷新令牌以获得新的访问令牌.没有刷新令牌，黑客就无法做到这一点.

When the ip address is not the same as in the claim, do not accept the token. The app will need to send a refresh token to obtain a new access token. The hacker can't do this without a refresh token.

跟踪成功的登录IP地址.对于已知的IP地址，令牌可以刷新.对于未知的IP地址(可能的黑客或未知的已更改wifi网络)，请使刷新令牌无效.这样，用户被迫再次登录.

Keep track of succesful login ip addresses. For a known ip address the token can be refreshed. For an unkown ip address (a possible hacker, or unknown changed wifi network), invalidate the refresh token. That way the user is forced to login again.

作为其他安全措施，在出现其他问题时，请与用户联系(发送电子邮件，就像Google一样).在这种情况下，用户可以撤消刷新令牌.

As an additional security measure contact the user (send an e-mail like Google does) when there was something different. In that case the user can revoke the refresh token.

这篇关于服务器如何验证JWT客户端?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！