我需要在哪里使用JWT? [英] Where do I need to use JWT?
问题描述
除了结构和协议之外,我当时想知道JWT适合客户/服务器通信的地方吗?
The structure and protocol aside, I was wondering where JWT fits into client/server communication?
- 是在这里替换身份验证和会话cookie吗?
- 在这里是为了减轻服务器在数据库或内存中存储会话令牌的压力吗?
- 客户端是否可以确保他们正在从预期的服务器接收数据,如果这不是问题,我就不需要JWT?
- 当连接为HTTPS/SSL时,服务器到服务器的通信是否有必要或良好的做法?
推荐答案
什么是JWT?
这是只有服务器才能生成的令牌,并且可以包含数据的有效负载.
What JWT is exactly?
It is a token that only the server can generate, and can contain a payload of data.
JWT有效负载可以包含诸如用户ID之类的内容,以便当客户端向您发送JWT时,您可以确保它是由您发布的,并且您可以查看给谁.发出了.
A JWT payload can contain things like user ID so that when the client sends you a JWT, you can be sure that it is issued by you, and you can see to whom it was issued.
通常,在 RESTful APIs 中,服务器不得使用任何形式的会议.
Usually, in RESTful APIs, where the server must not use any sort of sessions.
-
在典型的会话流中,浏览器发送包含令牌的cookie ,该令牌然后在服务器上匹配与服务器使用的某些数据来验证用户身份.
In a typical session flow, the browser sends a cookie containing a token, which is then matched at the server to some data which the server makes use of to authenticate the user.
在JWT流中,令牌本身包含数据.服务器解密令牌以仅对用户进行身份验证.服务器上没有存储数据.
In a JWT flow, the token itself contains the data. The server decrypts the token to authenticate the user only. No data stored on the server.
- 已将用户凭据发送到
/signin -
/signin返回JWT - JWT存储在
localStorage中
- 在每个请求上都向JWT发送了(向API发送?)
- 服务器解密JWT并从其中提取用户ID
- 服务器向经过身份验证的用户发送响应.
- User credentials sent to
/signin /signinreturns a JWT- JWT is stored in
localStorage - JWT is sent on every request (to API?)
- The server decrypts JWT and extracts user ID out of it
- The server sends response given the authenticated user.
这篇关于我需要在哪里使用JWT?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
