问题描述
因此,现在我正在构建供第三方使用的API,并且正在阅读有关RS256和HS256的文章.我的理解是,两者之间的区别是,在第一个中,您使用公共密钥进行验证,并使用私钥进行签名,而在另一个中,您仅使用一个密钥.密钥很安全,并且希望客户端验证令牌,但是我不明白为什么要在客户端中验证令牌?因为您向服务器发出了发布请求,所以它将向您发送回令牌,并且每当您要发出授权请求时,您都只需使用该令牌,服务器便会对其进行验证,如果还可以,则让您继续.那么,为什么要在客户端中验证令牌?我认为这是后端的职责.
So, right now I'm building an API for third parties uses and I was reading about RS256 and HS256. What I understood was that diff between is that in the first one you use a public key to verify and a private key to sign, and the other one, use just one key.. So if you use RS256 if because you want to keep your secret key secure and want the client to verify the token, but what I don't understand why you would like to verify the token in the client? Because you do a post request to the server, then it sends you back a token and whenever you want to make an authorized request you just use that token and the server verifies it and let you continue if its ok. So, why you would like to verify the token in the client? I thought it was a backend's duty.
我认为也许我在某些方面做错了,希望您能帮助您解决.谢谢.
I think maybe I'm wrong in something, hope you help clear this. Thanks.
所以,我的问题是,我知道RS256和HS256之间的区别,但是我不明白这是如何使用它的流程.现在,我正在开发第三方api,当客户端要求它时,我只需要返回一个令牌,然后在需要它的请求中,只需从服务器验证它是否为有效令牌即可.据我了解,当您想从客户端验证令牌时使用RS256,如果是的话,有人可以给我举一个示例,说明您何时或为什么要在客户端中验证令牌?
So, my question is, I know the differences between RS256 and HS256 but what I don't understand it's the flow of how is use it. Right now I'm developing a third party api, and I just need to return a token when the client ask for it and then in the request that needs it, just verify from the server if it's a valid token. From what I understand, RS256 it's used when you want to verify your token from the client, if that's right, someone can give me an example of when or why would you want to verify the token in the client?
推荐答案
在以下情况下使用RS256:
Use RS256 when:
-
令牌是由第三方(通常是身份提供商)(例如oauth2/oidc)签名的,并且您需要验证令牌是否已由可信实体发行
tokens are signed by a third party, usually an Identity Provider(e.g. oauth2/oidc), and you need to verify that the token has been issued by a trusted entity
令牌是由客户端签名的,通常是为了获得对API的访问权限,在该API中,客户端已预先注册了公共密钥
tokens are signed by clients, usually to get access to an API, where clients have previously registered the public key
令牌由SingleSignOn系统中的集中式身份验证服务器签名,并且用于访问多个联合服务器
tokens are signed by a centralized authentication server in a SingleSignOn system and they are used to get access to several federated servers
令牌用于在两方之间传输数据,而不必出于身份验证目的,并且签名用于确保签名者的身份
tokens are used to transfer data between two parties, not neccesarily for authentication purposes, and the signature is used to ensure the identity of the signatory
在以下情况下使用HS256:
Use HS256 when:
- 令牌由同一服务器签名并验证
这篇关于何时将RS256用于JWT?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!