如何获得智威汤逊? [英] How to get a JWT?
问题描述
在阅读有关使用 JWT 保护应用程序的信息时,通常会说客户端最初从服务器获取令牌,然后将此令牌与每个请求一起发送到 API.
When reading about securing an app with JWTs, it is often said that the client initially gets a token from the server and then sends this token along with every request to the API.
一旦你有了令牌,这种方法就很有效.据我所知,传输令牌的默认方式是使用 HTTP 标头,即 Authentication with Bearer 作为令牌的前缀作为值.
This approach works great, once you have a token. As far as I can see, the default way of transferring a token is using an HTTP header, namely Authentication with Bearer as the prefix of the token as value.
但是 - 是否还有一种默认方式来初始获取令牌?在示例中,您经常会看到这只是对 HTTP 端点的简单请求,然后返回 JSON.但我想知道是否有更多的标准工作流程,例如描述此端点的名称应该是什么,如在 OAuth2 中?
But - is there also a default way of how to get the token initially? In samples you often see that this is just a simple request to and HTTP endpoint, that then returns JSON. But I was wondering whether there is something more of a standard workflow that e.g. describes what should be the name of this endpoint, as in OAuth2?
有什么提示吗?
推荐答案
JWT是一种令牌格式,用于安全协议,如 OAuth2 和 OpenID 连接.
JWT is a token format which is used in security protocols like OAuth2 and OpenID Connect.
如何从授权服务器获取令牌取决于您使用的授权流程.
How to get the token from the authorization server depends on the grant flow you are using.
OAuth 2.0 中定义了 4 个授权流,用于不同的客户和用途.
There are 4 grant flows defined in OAuth 2.0 that are intended for different clients and uses.
- 授权码授予
此授权适用于 Web 应用程序.用户的浏览器被重定向(HTTP 302)到授权服务器.授权服务器负责对用户进行身份验证(通过用户名/密码、智能卡、2 因素身份验证等).
This grant is intended for web applications. The user's browser is redirected (HTTP 302) to the authorization server. The authorization server takes care of authenticating the user (via username/password, smartcard, 2-factor auth whatever).
然后,授权服务器使用代码将浏览器重定向回 Web 应用程序中预先注册的端点.然后,Web 应用程序使用它自己的凭据(客户端 ID 和客户端密码)和授权代码从授权服务器请求访问令牌.
The authorization server then redirect the browser back to a preregistered endpoint in the web application with a code. The web application then uses it's own credentials (client id and client secret) and the authorization code to request an access token from the authorization server.
授权服务器向 Web 应用程序返回访问令牌和刷新令牌.请注意,浏览器(不受信任)永远不会看到访问令牌.只有 Web 应用程序(受信任)可以访问访问令牌和刷新令牌.
The authorization server returns an access token and a refresh token to the web application. Note that the browser (untrusted) never sees the access token. Only the web application (trusted) has access to the access token and refresh token.
此授权很难从 Web 应用程序以外的其他客户端使用,因为它基于 HTTP 重定向.
This grant is difficult to use from other clients than web applications as it's based on HTTP redirection.
- 隐式授权
此授权用于不受信任的客户端,例如 JavaScript 应用程序或第 3 方移动客户端(您从应用商店下载的客户端).
This grant is used for untrusted clients like JavaScript applications or 3rd party mobile clients (the ones you download from the app-store).
它还将浏览器(或浏览器控件)重定向到授权服务器,但不是在成功验证后向浏览器返回代码,而是直接返回访问令牌.由于客户端不受信任,因此授权不会返回刷新令牌.访问令牌需要存储在某个地方,并且容易受到 XSS 攻击.
It also redirects a browser (or browser control) to the authorization server, but instead of returning a code to the browser after successful authentication, it returns an access token directly. Because the client is not trusted, the grant does not return a refresh token. The access token needs to be stored somewhere and is vulnerable to XSS attacks.
即使您没有获得刷新令牌,但某些实现确实提供了一种获取新访问令牌的方法,方法是在隐藏的 IFRAME 中与授权服务器通信,并使用 cookie 与授权服务器本身进行身份验证.
Even though you do not get a refresh token, some implementations do provide a way to get a new access token by communicating to the authorization server in a hidden IFRAME and using cookies to authenticate with the authorization server itself.
- 资源所有者密码凭据授予
此授权适用于受信任的客户端,例如具有安全存储功能的桌面应用程序或第一方移动应用程序.客户端应用程序向用户(资源所有者)询问他们的用户名/密码,然后将其发送到授权服务器以获取访问令牌和刷新令牌.
This grant is for trusted clients, for example a desktop application or a first party mobile app with secure storage capabilities. The client application asks the user (the resource owner) for their username/password and then sends this to the authorization server to acquire an access token and refresh token.
一旦客户端拥有访问令牌,它就可以丢弃密码,因为它可以使用刷新令牌来获取新的访问令牌.这使其比基本身份验证更安全.
Once the client has the access token, it can discard the password as it can use the refresh tokens to get new access tokens. This makes it more secure than basic authentication.
此授权不依赖于浏览器重定向,并且可以在任何可以执行 HTTP 请求的应用程序中轻松使用.
This grant does not depend on browser redirects and can be easily used from any application that can execute HTTP requests.
- 客户凭据授予
此授权旨在验证客户端(应用程序)而不是客户端的用户.
This grant is meant to authenticate the client (application) instead of the user of the client.
在这种情况下,客户端将其客户端 ID 和机密直接提交给授权服务器以获取访问和刷新令牌.
In this case, the client submits its client id and secret directly to the authorization server to acquire an access and refresh token.
所以基本上前两个授权依赖于类似浏览器的功能(HTTP 重定向、HTML 登录页面),而其他两个授权只需要一个 HTTP 堆栈来与授权服务器通信.
So basically the first two grants depend on browser-like capabilities (HTTP redirects, HTML login pages), where the other two grants only need an HTTP stack to communicate with the authorization server.
这篇关于如何获得智威汤逊?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
