如何处理JWT的更改权限 [英] How to deal with changing permissions with JWTs
问题描述
JWT 承诺通过在Token本身中包含权限,可以更快/更简单.但是我的问题是这样的:说一个用户已经登录,并且正在使用一个JWT,该JWT包含允许他们访问A和B的权限信息.
然后,管理员或其他用户会出现并在该用户仍登录时授予该用户查看C的权限.但是由于该用户仍在使用旧的JWT,因此他仍然无法访问C.
JWT promises to be faster / simpler by including permissions in the Token itself. However my question is this: say a user is logged in, and is using a JWT that contains permission info allowing them access to A and B.
Then an admin or other user comes along and grants that user permission to view C while the user is still logged in. But because the user is still using the old JWT, he's still not going to be able to access C.
这里有什么选择?将令牌列入黑名单并强制用户再次登录?还是完全忘记基于令牌的权限?
What are the options here? Blacklist the token and force the user to log in again? Or forget about token-based permissions altogether?
推荐答案
JWT令牌存储在localStorage或前端的cookie中,因此当您的应用程序面临更改的权限时,就会出现此问题.
JWT tokens are stored in localStorage or cookies on frontend side so this the issue when your application will face with changing permissions.
使用刷新令牌机制,每个用户具有唯一的SECRET,该刷新令牌机制存储在数据库中,因此,通过更改此SECRET,将强制该特定用户重新登录并获取具有更新权限的新令牌.
Use refresh token mechanism with unique SECRET per user which is stored in the database so by changing this SECRET will force that particular user to re-login and get a new token with updated permissions.
这篇关于如何处理JWT的更改权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
