问题描述
在大多数JWT(JSON Web令牌)教程中(例如:此和此)是说,一旦通过验证,您就可以使用传入的令牌以获取客户信息,而无需从数据库中进行验证.
On most of the JWT (JSON Web Token) tutorial (e.g: this and this) are saying, once validated you can use the incoming token to get client information without validating it from the DB.
我的问题是,那么如何维护无效的用户状况?我的意思是,可以说客户获得了一个JWT令牌,该令牌将在一周内到期.但是出于非常特定的原因,可以说我们决定使用户无效,并且不希望用户访问我们的API.但是该用户仍然具有有效的令牌,并且用户可以访问API.
My question is, how invalid user situation is maintained then? What I mean is, lets say a client just got a JWT token which expires in one week. But for very specific reason lets say we decided to invalidate the user, and don't want the user to access our API. But still that user has a token which is valid and user can access the API.
当然,如果我们为每个请求往返DB,那么我们可以验证帐户是否有效.我的问题是,对于长期存在的代币而言,最好的方法是照顾这种情况.
Of course if we take a round trip to DB for each request then we can validate if the account is valid or invalid. My question is, what is the best way to take care this kind of situation for long lived tokens.
谢谢.
推荐答案
如果不是不可能的话,很难撤销基于JWT的访问令牌.
It's difficult to revoke JWT-based access tokens if not impossible.
访问令牌应如何表示?有两种主要方法.
How should an access token be represented? There are two major ways.
- 作为无意义的随机字符串.与访问令牌关联的信息存储在授权服务器后面的数据库表中.
- 作为自包含的字符串,是通过base64url或类似方法对访问令牌信息进行编码的结果.
在这些方式之间进行选择会导致相应的差异,如下表所述.
A choice between these ways will lead to consequent differences as described in the following table.
请参见中的"7.访问令牌" ". OAuth和OpenID Connect的完全实施者有关发现的讨论" ,以了解访问令牌表示方式的优缺点
See "7. Access Token" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for pros and cons of the ways of access token representation.
如果您的访问令牌是基于JWT的,则系统必须(1)记住已撤消的访问令牌,直到它们过期. (2)使访问令牌的生存期足够短并放弃吊销.
If your access tokens are JWT-based, your system has to (1) remember revoked access tokens until they expire. Another compromise is to (2) make lifetime of access tokens short enough and give up revoking them.
考虑到个人因素,在实施授权服务器时,我没有选择JWT作为访问令牌表示形式( Authlete ),因为一旦颁发基于JWT的访问令牌就很难/不可能撤消.
Personally, after consideration, I didn't select JWT as access token representation when I implemented an authorization server (Authlete) because it is difficult/impossible to revoke and update JWT-based access tokens once they are issued.
这篇关于JSON Web令牌到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!