多个网站的JWT令牌 [英] JWT token for multiple websites

问题描述

如何在多个网站之间共享一个JWT令牌.我认为第一件事就是在所有网站上都拥有相同的秘密.

How can I have a single JWT token be shared among multiple websites. I assume that the first thing would be to have the same secret on all websites.

如果用户登录站点A并生成了令牌，则我想在完全不同的域中对网站B使用相同的令牌.

If user logs in on site A and a token is generated I want to use the same token for website B on a totally diferent domain.

可以做到吗?

推荐答案

您可以完成所需的操作，但不能使用单个 JWT令牌完成. JWT令牌旨在用于受众(aud)声明所指示的特定服务或应用程序.您不能将同一令牌用于其他应用程序或服务.

What you want can be done, but not with a single JWT token. A JWT token is intended for a certain service or application indicated by the audience (aud) claim. You cannot use the same token for another application or service.

通常情况下，使您登录 SSO 的情况会发生什么?到令牌发行(授权)服务器.只要该会话有效，用户就可以获取服务器可以为其发行令牌的所有应用程序的令牌.

What typically happens to make your SSO scenario work, it that the user logs in to the token issuing (authorization) server. As long as that session is valid, the user can acquire tokens for all applications the server can issue tokens for.

因此，当用户登录到第一个应用程序时，授权服务器将设置cookie来建立会话.当用户导航到第二个应用程序时，该应用程序将他/她重定向到授权服务器以进行身份​​验证.授权会检测到会话cookie，不会提示用户再次登录，但会为第二个应用程序发行新的JWT令牌.

So, when the user logs in to the first application, the authorization server sets a cookie to establish a session. When the user navigates to the second application, the application redirects him/her to the authorization server for authentication. The authorization detects the session cookie and does not prompt to user to log in again, but issues a new JWT token for the second application.

这篇关于多个网站的JWT令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！