问题描述
我刚刚阅读了令牌的来龙去脉-基于身份验证.它声称可伸缩性是server based Authentication的主要问题,因为服务器必须在本地存储会话.并提示token based authentication作为治疗方法.
I just read The Ins and Outs of Token-based Authentication. It claims scalability is the main issue with server based Authentication since server has to store sessions locally. And it prompts token based authentication as the cure.
但是真的吗?
身份验证只是可能导致可伸缩性问题的可能位置之一.只要在服务器端存储了任何特定于用户的状态信息,无论它存储在会话作用域还是Web应用程序作用域中,都会导致可伸缩性问题.过于夸张地说token based authentication可以解决可伸缩性问题.还有许多其他因素要强大得多. 仅仅是基于令牌的身份验证是无状态的,并不意味着整个服务器都可以是无状态的.
Authentication is just one of the possible places that could cause scalability issue. As long as there's ANY user-specific state info stored on server-side, no matter it is stored at session scope or web application scope, that will also cause scalability issue. It is overly exaggerated to say token based authentication alone can solve scalability issue. There are too many other factors which are much stronger ones. Just because token-based authentication is stateless doesn't mean the whole server CAN BE stateless.
让我们以JWT为例,通过 JWT的定义:
Let's take JWT as an example, by the definition of JWT:
我认为JWT不适合存储除身份验证数据以外的状态信息.因为JWT存储的常见合理位置都具有较小的大小限制,例如HTTP标头,Cookie.
I don't think JWT is suitable for storing state info beyond authentication data. Because the common reasonable places for JWT storage all have small size limit, such as HTTP header, Cookie.
您同意吗?任何人都可以对此有所了解吗?
Do you agree? Anyone could shed some light on this?
推荐答案
您的应用程序是否需要会话状态进行其他操作,不会影响使用JWT令牌的可伸缩性特征.
Whether or not your application needs session state for other things does not affect the scalability characteristics of using JWT tokens.
设计一个真正的无状态应用程序是完全可能的,在这种情况下,使用基于令牌的身份验证可以使您保持无状态.
It's perfectly possible to design a true stateless application, in which case the use of token based authentication allows you to remain stateless.
您不应使用安全性令牌来存储会话信息,因为令牌是经过签名的,并且会话信息通常是易变的.每次其中一项索赔变更时,发行方都需要将令牌辞职.
You should not use security tokens to store session info as tokens are signed and session info is usually volatile. The issuer would need to resign the token each time one of the claims changes.
这篇关于基于令牌的身份验证和可伸缩性?幻觉?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!