问题描述
在我的项目中,需要在用户更改密码时使用户的所有 jwt 令牌无效.我想给每个用户一个不同的签名密钥,并在更改密码时简单地重置密钥.然后我用谷歌搜索,发现 Redis 是存储这些每用户密钥的好地方.一切似乎都很好.
In my project there's a requirement to invalidate all jwt tokens of a user when the user changes his password. I was thinking of giving each user a different signing key, and simply reset the key when password is changed. Then I googled around and found Redis is a good place to store those per-user keys. Everything seems to work just fine.
但是有一件事我无法理解.由于每次请求都必须命中 Redis 一次,这与向用户发出不透明令牌而不是 JWT 并在 Redis 中存储令牌 -> JWT 有效负载映射有什么不同吗?这不是违背了使用 JWT 的目的吗?
But there one thing I cannot get my head around. Since it has to hit Redis once per request, is it any different than issuing the user an opaque token instead of JWT, and store the token -> JWT payload mapping in Redis?Isn't that defeats the purpose of using JWT?
推荐答案
要使令牌无效,您需要撤销它们.OAuth 规范也不需要每次需要验证 JWT 时从远程服务器获取密钥(正如您所说的那样,这有点违背了目的).密钥可以本地存储在资源站点.您有两个选择:
To invalidate tokens you need to revoke them. OAuth spec also does not require getting secret key from remote server every time you need to validate JWT (as you said it kind of defeats the purpose). The key can be stored locally at resource site.You have two options here:
1) 每次验证 JWT 令牌时,从资源端针对 OAuth 服务器自省 JWT 令牌.对我来说似乎有点矫枉过正.最好的办法是给 JWT token 短的过期时间,让已经发行的 token 过期.
1) Introspect the JWT token from resource side against OAuth server every time it validates it. Seems like overkill to me. The best approach is to give short expiration time to JWT token and let the already issued tokens to just expire.
2) 让资源在本地存储密钥,当它验证失败时,去获取密钥并再次重新验证.
2) Have the resource store the secret key locally and when it fails to validate go and get the key and re-validate it again.
这篇关于JWT - 每用户签名密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!