如何在Json Web令牌中传递安全数据，例如用户名/密码? [英] How to pass secure data like user-name/password in Json Web Token?

问题描述

有很多讨论，并且认为基于令牌的MEAN应用程序身份验证体系结构是安全的.但是我有一个问题，那就是它是否真的将用户名和密码作为授权和身份验证传递给JSON Web令牌中的有效载荷，并且如果我们没有在有效载荷中传递安全信息，那么JSON Web令牌如何在服务器中没有用户名/口令的情况下对用户进行身份验证一侧.

There are lots of discussion and favor that token based architecture of authentication of MEAN application is secure. But I have question that is it really pass user-name and password for authorization and authentication as payload in JSON Web Token, and if we are not passing secured information in payload then how JSON Web Token authenticate user without user-name / password in server side.

我阅读了许多体系结构方面的内容，但是他们不能解释在不使用用户名/密码的情况下，他们使用了什么逻辑来验证令牌.

I read lots of architecture stuff but they can't explain that what logic they used to authenticate token without using user-name/password.

将身份验证令牌存储在cookie中而不是在Web存储中是否有效?

Is it valid to store authentication token in cookies rather than web storage?

是的，我知道他们使用私钥和公钥进行验证，但这不足以进行身份​​验证.要验证特定用户，它需要一些密钥值，例如用户名/密码或标识特定用户所需的任何密钥访问权限.

Yes I am knowing that they used private key and public key for verification but it's not enough to authenticate. To authenticate specific user it requires some key values like user-name/password or any key access which required to identify particular user.

推荐答案

否，在JWT中发送密码并不安全.这是因为JWT声明被简单地编码，并且任何看到它们的人都可以轻松地对其进行解码.在返回给用户的JWT中存储任何敏感信息是不安全的.

No, it is not secure to send a password in a JWT. This is because the JWT claims are simply encoded and can easily be decoded by anyone that sees them. It is not secure to store any sensitive information in a JWT that returned to a user.

您似乎误解了JWT进行身份验证的过程.通常，JWT身份验证将取代有状态会话系统.在许多正常流程中，用户使用其用户名和密码进行身份验证，然后服务器为该用户设置会话cookie.当用户返回网站时，他们的浏览器将会话cookie与他们一起发送.服务器看到带有会话cookie的请求，并从某个数据库中查找相关的会话数据.

You seem to misunderstand the JWT's roll in authentication. Generally, JWT authentication is going to replace a stateful session system. In many normal flows, a user authenticates using their username and password and the server sets a session cookie for the user. When the user returns to the website, their browser sends the session cookie along with them. The server sees a request coming in with a session cookie and looks up the relevant session data from some database.

在许多基于JWT的系统中，用户将像往常一样使用其用户名和密码进行身份验证，但是授权服务器将设置一个包含用户JWT的JWT的cookie，而不是设置引用数据库中某些内容的会话cookie.会话数据.这可能包括他们的用户名，他们担任的任何角色或其他任何必要的数据.

In many JWT-based systems, a user authenticates with their username and password as usual, but instead of the authorization server setting a session cookie that references something in the database, it will set a cookie that contains a JWT of the user's session data. This could include their username, any roles they have, or any other data necessary.

现在，当用户返回网站并且其浏览器显示此新的JWT cookie时，服务器仅需要验证它是否已由授权服务器签名即可信任其中的声明.避免对会话信息进行数据库查找有很多好处，其中最重要的是速度.

Now, when the user returns to the website and their browser presents this new JWT cookie, the server only needs to verify that it was signed by the authorization server in order to trust the claims inside. Avoiding the database lookup for session information has many benefits, not the least of which is speed.

这篇关于如何在Json Web令牌中传递安全数据，例如用户名/密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！