使用客户端指纹对JWT令牌进行编码? [英] Use client fingerprint to encode JWT token?
问题描述
我想知道使用客户端指纹作为JWT秘密进行编码是否是最佳实践.但是,我在WWW上找不到任何与此问题相关的信息,但到目前为止,对我来说这很有意义.
I'm wondering if it would be best practice to use a clients fingerprint as JWT-secret for encoding. However I couldn't find anything in the WWW concerning this question, but so far it makes sense to me to do it.
我正在考虑使用JavaScript生成指纹客户端,并在每次调用时将其发送到API.然后,API应该将指纹与硬编码的秘密一起使用,以对令牌进行编码和解码.
I'm thinking about generating a fingerprint client-side with JavaScript and sent it to the API with every call. The API should then use the fingerprint with a hard coded secret together for encoding and decoding the token.
这不是预防CSRF的好方法吗? 还是我错过了其他东西? 或大体上:用JWT预防CSRF的最佳方法是什么? (我使用的是PHP和VueJS,是否存在与案例相关的解决方案?)
Isn't this a good method to prevent CSRF? Or am I missing out on something else? Or in general: What is the best way to prevent CSRF with JWT? (I'm using PHP and VueJS, is there maybe a case related solution?)
推荐答案
我从未听说过.
使用私钥或共享机密对令牌进行签名.使用指纹意味着您可以将一个(或多个)手指与一个私钥相关联,然后计算令牌.
A token is signed using a private key or a shared secret. The use of a fingerprint means you can correlate one (or more) fingers to a private key then compute a token.
但是,这看起来与我正在使用的 Webauthn协议非常相似.使用Android设备时,浏览器可以与指纹/屏幕锁进行交互以验证用户身份.设备发送的数据是JWT,可以使用Google API进行验证(请参见
However, this looks very similar to the Webauthn protocol I am working with. When using Android devices, the browser can interact with the fingerprint/screenlock to authenticate the user. The data sent by the device is a JWT that can be verified using a Google API (see Android SafetyNet).
这篇关于使用客户端指纹对JWT令牌进行编码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!