问题描述

在aspnet核心2的JwtAuthentication配置中使用了哪些bearerOption.SaveToken属性?

What bearerOption.SaveToken property used for in the configuration of JwtAuthentication in aspnet core 2 ?

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                    .AddJwtBearer(bearer =>
                    {
                        bearer.TokenValidationParameters.IssuerSigningKey = signingKey as SecurityKey;
                        bearer.TokenValidationParameters.ValidIssuer = Configuration["Jwt:Issuer"];
                        bearer.TokenValidationParameters.ValidAudience = Configuration["Jwt:Audience"];
                        bearer.TokenValidationParameters.ClockSkew = TimeSpan.Zero;
                        bearer.TokenValidationParameters.ValidateLifetime = true;
                        bearer.TokenValidationParameters.ValidateAudience = true;
                        bearer.TokenValidationParameters.ValidateIssuer = true;
                        bearer.TokenValidationParameters.ValidateIssuerSigningKey = true;
                        bearer.TokenValidationParameters.RequireExpirationTime = true;
                        bearer.TokenValidationParameters.RequireSignedTokens = true;
                        // ******
                        bearer.SaveToken = true;
                        // ******
                    });

推荐答案

bearer.SaveToken用于指示服务器是否必须保存令牌服务器端才能对其进行验证.因此，即使用户具有正确签名和加密的令牌，如果它不是由服务器生成的，也不会通过令牌验证.这是一项安全性增强措施，因此即使签名密钥遭到破坏，您的应用程序也不会受到破坏.

bearer.SaveToken is used to indicate whether the server must save the token server side to validate them. So even when a user has a properly signed and encrypted token, it'll not pass token validation if it is not generated by the server. This is a security reinforcement so even when the signing key is compromised, your application is not.

缺点:

• 如果您的应用程序重新启动，则回收的令牌将不再有效.
• 如果您有分布式应用程序，则此方法对您不起作用.

这篇关于BearerOption.SaveToken属性有什么作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！