如何在JWT中使用jti声明 [英] How to use jti claim in a JWT

问题描述

JWT规范提到了一个jti声明，据称该声明可以用作现时防止重放攻击:

The JWT spec mentions a jti claim which allegedly can be used as a nonce to prevent replay attacks:

jti(JWT ID)声明为JWT提供了唯一的标识符.标识符值的分配方式必须确保将相同的值偶然分配给不同的数据对象的可能性可以忽略不计；如果应用程序使用多个发行者，则还必须防止不同发行者产生的值之间发生冲突. jti声明可用于防止重播JWT. jti值是区分大小写的字符串.使用此声明是可选的.

The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The jti claim can be used to prevent the JWT from being replayed. The jti value is a case-sensitive string. Use of this claim is OPTIONAL.

我的问题是，我将如何实施呢?我是否需要存储以前使用的jtis并为每个请求发出一个新的JWT?如果是这样，这是否会破坏JWT的目的?为什么要使用JWT而不是仅将随机生成的会话ID存储在数据库中?

My question is how would I go about implementing this? Do I need to store the previously used jtis and issue a new JWT with every request? If so, doesn't this defeat the purpose of JWTs? Why use a JWT instead of just storing a randomly-generated session ID in a database?

我的REST API有一个mongo数据库，我不反对添加Redis实例.有没有比JWT更好的身份验证选项?我主要只是不想将密码存储在客户端上，从而消除了HTTP身份验证的选择，但是，随着我对JWT的深入了解，我开始觉得自定义令牌实现或其他标准可能会更好适合我的需求.是否有用于基于令牌的身份验证的节点/快速包，该软件包支持令牌吊销和旋转令牌?

My REST API has a mongo database and I'm not opposed to adding a redis instance. Is there a better authentication option than JWT? I mainly just don't want to store passwords on the client which eliminates HTTP authentication as an option, however, as I'm getting deeper into this JWT stuff I'm starting to feel as if a custom token implementation or different standard might better suit my needs. Are there any node/express packages for token based authentication that supports token revocation and rotating tokens?

不胜感激.

推荐答案

实际上，存储所有已发布的JWT ID会破坏使用JWT的无状态本质.但是，JWT ID的目的是能够撤消先前发布的JWT.通过将其列入黑名单而不是白名单，可以最轻松地实现这一点.如果您已经包括了"exp"声明(应该这样做)，那么最终您可以清理列入黑名单的JWT，因为它们自然会过期.当然，您还可以实现其他吊销选项(例如，基于"iat"和"aud"的组合吊销一个客户端的所有令牌).

Indeed, storing all issued JWT IDs undermines the stateless nature of using JWTs. However, the purpose of JWT IDs is to be able to revoke previously-issued JWTs. This can most easily be achieved by blacklisting instead of whitelisting. If you've included the "exp" claim (you should), then you can eventually clean up blacklisted JWTs as they expire naturally. Of course you can implement other revocation options alongside (e.g. revoke all tokens of one client based on a combination of "iat" and "aud").

这篇关于如何在JWT中使用jti声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！