我们是否需要在客户端/消费者处验证JSON Web令牌? [英] Do we need to validate JSON Web Token at client/consumer?

问题描述

我正在研究有关JSON Web令牌的一些知识.我理解报头+声明由秘密密钥签名，并且编码结果被级联为"header.claims.signature".并最终发回给客户.

I am studying a bit about JSON Web Token. I understood that header+claims get signed by a secret key and the encoded result gets concatenated to "header.claims.signature" and finally sent back to client.

我有一些基本的疑问:

• 我们是否需要在客户端/消费者上验证令牌(出于真实性，令牌一旦从服务器接收到)?完全是标准还是没有必要?有任何示例可供参考吗?
• 如果客户端需要验证令牌，我想它必须知道密钥才能解密/解码.还有其他方法可以要求客户端自行验证而不共享服务器的秘密密钥吗?
• 如果客户端知道密钥，我想它也可以创建自己的令牌.在这种情况下，服务器是否需要接受此类令牌(或者是否依赖于应用程序/业务?)

推荐答案

我们是否需要在客户/消费者处验证令牌

Do we need to validate the token at client/consumer

在客户端，您通常不验证令牌.将其视为不透明令牌.保持安全并在向服务器发出请求时使用它.

On client side you usually don't validate the token. Treat it just as an opaque token. Keep it safe and use it when making requests to the server.

如果客户端需要验证令牌，我想它必须知道密钥才能解密/解码. 如上所述，客户端不需要验证令牌.

If the client needs to validate the token, I guess it has to know the secret key to decrypt/decode. As mentioned above, the client doesn't need to validate the token.

在任何情况下，身份验证服务器(对用户进行身份验证并颁发令牌的实例)和资源服务器(拥有受保护资源并需要令牌进行授权的实例)都不相同，请进行签名和验证通常使用非对称算法(例如RS256)来完成令牌的验证，在该算法中，私钥用于对令牌进行签名，并且只有身份验证服务器才能知道，而公钥则用于验证签名.

In any cases in which the authentication server (the instance that authenticates the user and issues the token) and the resource server (the instance that owns a proteceted resource and requires a token for authorization) are not the same, signing and validation of the token is usually done with asymmetric algorithms like RS256 in which the private key is used to sign the token and only known by the authentication server, and the public key is used to verify the signature.

如果客户端知道密钥，我想它也可以创建自己的令牌.如果是这种情况，服务器是否需要接受此类令牌(或者是否依赖于应用程序/业务?)

If client knows the secret key, I guess it can create its own token too. If such is the case, do the server need to accept such tokens (or is application/business dependent?)

这就是为什么客户端不应该知道密钥的原因. 当使用对称密钥算法(例如HS256)(其中使用相同的密钥来签名和验证签名)时，您将不允许客户端知道密钥，因为它可能被滥用来创建伪造的令牌.那么，JWT将毫无意义.对于非对称密钥，如果客户知道公钥，就没有风险.

That's why a client should not know the secret key. When symmetric key algorithms (e.g. HS256), in which the same key is used to sign and verify a signature are used, you can't allow the client to know the key, as it could be abused to create a fake token. Then JWT would be pointless. For asymmetric keys, there's no risk if the client knows the public key.

这篇关于我们是否需要在客户端/消费者处验证JSON Web令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！