如何正确使用 Bearer 代币? [英] How to properly use Bearer tokens?

问题描述

我正在用 PHP 制作一个授权系统，我遇到了这个传递 JWT 令牌的承载方案，我阅读了 [RFC 6750][1].我有以下疑问:

I'm making an authorization system in PHP, and I came across this Bearer scheme of passing JWT tokens, I read [RFC 6750][1]. I've got the following doubts:

1. 这如何提高安全性?
2. 在成功授权和登录后，服务器在其主体中使用 JWT 令牌响应客户端，现在当客户端发出另一个请求时，我不清楚如何实际执行此操作，我想在授权中从客户端发送令牌请求中的标头，所以现在我应该在Bearer"前加上前缀吗?到我在上一个响应中从服务器收到的令牌，如果是，那么服务器在接收授权标头时，应该用空格分割字符串，并从获得的数组中获取第二个值，然后对其进行解码?例如Authorization: Bearer fdbghfbfgbjhg_something，服务器应该如何处理这个，decodeFunc(explode("", $this->getRequest()->getHeader("Authorization");))[1])?[1]:https://www.rfc-editor.org/rfc/rfc6750

1. How is this improving the security?
2. The server responses the client with a JWT token in its body after a successful authorization and login, and now when the client makes another request, I am not clear how to actually do that, I want to send token from client in Authorization header in the request, so now should I just prefix "Bearer" to the token which I received in the previous response from the server and If yes, then server on receiving the Authorization header, should just split the string with space, and take the second value from the obtained array and then decode it? For example Authorization: Bearer fdbghfbfgbjhg_something, how is server supposed to handle this, decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])? [1]: https://www.rfc-editor.org/rfc/rfc6750

推荐答案

1.提高安全性，因为如果在 url 中发送的 header 中没有发送令牌，它将被网络系统记录，服务器日志....

1.Improving the security because if token is not sent in the header that sent in url, it will be logged by the network system, the server log ....

2.一个很好的获取Bearer token的功能

2.A good function to get Bearer tokens

/** 
 * Get header Authorization
 * */
function getAuthorizationHeader(){
        $headers = null;
        if (isset($_SERVER['Authorization'])) {
            $headers = trim($_SERVER["Authorization"]);
        }
        else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
            $headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
        } elseif (function_exists('apache_request_headers')) {
            $requestHeaders = apache_request_headers();
            // Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
            $requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
            //print_r($requestHeaders);
            if (isset($requestHeaders['Authorization'])) {
                $headers = trim($requestHeaders['Authorization']);
            }
        }
        return $headers;
    }
/**
 * get access token from header
 * */
function getBearerToken() {
    $headers = getAuthorizationHeader();
    // HEADER: Get the access token from the header
    if (!empty($headers)) {
        if (preg_match('/Bearers(S+)/', $headers, $matches)) {
            return $matches[1];
        }
    }
    return null;
}

这篇关于如何正确使用 Bearer 代币?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！