ASP.NET身份承载令牌与JWT的优缺点 [英] ASP.NET Identity Bearer Token vs JWT Pros and Cons
问题描述
我已经使用ASP.NET Identity已有一段时间了,并且一直在研究JWT(JSON Web令牌),因为它们看起来确实很有趣并且易于使用.
I have used ASP.NET Identity for a while now and have been looking at JWT (JSON Web Token) as they seem really interesting and easy to use.
JWT.IO 具有调试令牌的绝佳示例/工具.
JWT.IO has a great example/tool of debugging the token.
但是,我不确定JWT在后端如何工作,您还会使用Identity吗?
However, I'm not entirely sure how JWT's work on the back end, would you still use Identity?
令牌(承载者与JWT)的比较又如何?哪个更安全?
Also how do the tokens (Bearer vs JWT) compare? Which is more secure?
推荐答案
JWT就像是一个景点门票.它包含服务器需要嵌入其中的所有安全信息.一旦服务器将其分发出去,客户端只需要在它要求任何东西时就将其呈现出来,并且服务器将在有效时做出相应的响应.
JWTs are like a ticket to an attraction. It contains all the security information a server needs embedded in it. Once the server has handed it out the client just needs to present it whenever it asks for something and the server responds accordingly if it's valid.
内容是完全可见的,但是服务器已使用密钥对它们进行了签名,因此它可以告诉您内容是否已被篡改.
The contents are entirely viewable, but they're signed using a secret key by the server so it can tell if they've been tampered with.
由于所有内容都在JWT中,并且客户端可以将其呈现给他们想要的任何人,因此只要不同的服务器共享相同的机密,以便他们可以验证签名,就可以将其用于Single Sign On.
Since everything is in the JWT, and the client can present it to whomever they want, you can use it for Single Sign On as long as the different servers share the same secret so they can verify the signature.
像票证一样,JWT的有效期限为.只要它还没有过期,它就是有效的.这意味着您不能在此之前撤消它们.因此,JWT的到期时间通常很短(大约30分钟),并且还会向客户端颁发刷新令牌,以便在JWT过期时快速对其进行续订.
Like a ticket, a JWT has an expiry date. As long as it hasn't expired, it's valid. This means you can't revoke them before that. For this reason JWTs often have short expiry times (30 mins or so) and the client is also issued a refresh token in order to renew the JWT quickly when it expires.
JWT
- 未存储在服务器上
- 非常适合SSO
- 不能被提前撤销
承载者令牌就像一个来宾列表.服务器将客户端放在来宾列表上,然后提供密码以在需要时进行识别. 当客户端提供代码时,服务器会在列表中查找该代码,并检查是否允许其执行所要求的任何操作.
Bearer tokens are like a guest list. The server puts the client on the guest list, then provides a pass code to identify it when it wants something. When the client provides the code, the server looks it up on the list and checks that it's allowed to do whatever it's asking.
服务器必须具有可用的列表,因此,如果要在服务器之间共享访问权限,它们要么全部都需要能够访问列表(数据库),要么与拥有该列表的某些机构联系(身份验证服务器)
The server has to have the list available to it so if you want to share access across servers, they either all need to be able to access the list (database), or talk to some authority that has it (auth server).
另一方面,由于他们有邀请对象列表,因此他们可以在需要时将您从名单中删除.
On the other hand, since they have the guest list, they can take you off it whenever they want.
承载者令牌
- 存储在服务器上
- 可以随时被撤销
- 需要中央机构或共享数据库才能在服务器之间共享令牌
如果您想走这条路的话,《比特技术》有一些出色的教程,介绍如何使用Web Api实现JWT.
Bit of Tech has some excellent tutorials on implementing JWTs with Web Api if you want to go down that route.
