在 JWT 中存储什么? [英] What to store in a JWT?

问题描述

你们如何在多个设备上处理同一个用户?{admin: true} 之类的数据不会变得陈旧，除了更改它的设备吗?

How do you guys deal with the same user on multiple devices? Won't data such as {admin: true} become stale except for the device that changed it?

这甚至应该在 JWT 中吗?如果没有，我们只需要放置用户 ID，那会不会就像一个基于 cookie 的会话，因为我们将状态存储在服务器上?

Should this even be in a JWT? If not, and we resort to only putting the user ID, won't that be just like a cookie-based session since we store the state on the server?

推荐答案

JWT RFC 建立了三类声明:

The JWT RFC establishes three classes of claims:

• 已注册声明，例如 sub、iss、exp 或 nbf

公开声明具有公开名称或名称 由 IANA 注册，其中包含应该是唯一的值，例如 email、address 或 phone_number.请参阅完整列表

Public claims with public names or names registered by IANA which contain values that should be unique like email, address or phone_number. See full list

私人声明在您自己的上下文中使用，价值观可能会发生冲突

Private claims to use in your own context and values can collision

这些声明都不是强制性的

None of these claims are mandatory

JWT 是自包含的，应避免使用提供必要数据的服务器会话来执行身份验证(无需服务器存储和数据库访问).因此，role 信息可以包含在 JWT 中.

A JWT is self-contained and should avoid use the server session providing the necessary data to perform the authentication (no need of server storage and database access). Therefore, role info can be included in JWT.

当使用多个设备时，有多种原因在到期前撤销令牌，例如当用户更改密码、权限或被管理员删除的帐户时.在这种情况下，您需要一个黑名单或替代机制来拒绝令牌

When using several devices there are several reasons to revoke tokens before expiration, for example when user changes password, permissions or account deleted by admin. In this case you would need a blacklist or an alternative mechanism to reject the tokens

黑名单可以包括令牌唯一 ID jti 或在更新用户的关键数据后简单地设置一个条目 (sub - iss) (密码、权限等)和 currentTime - maxExpiryTime 最后一题.currentTime - maxExpiryTime > 时可以丢弃该条目.last_modified(不再发送未过期的令牌).

A blacklist can include the token unique ID jti or simply set an entry (sub - iss) after updating critical data on user (password, persmissions, etc) and currentTime - maxExpiryTime < last iss. The entry can be discarded when currentTime - maxExpiryTime > last_modified (no more non-expired tokens sent).

以下声明名称已在 IANAJSON Web 令牌声明"中注册.Section 10.1.

The following Claim Names are registered in the IANA "JSON Web Token Claims" registry established by Section 10.1.

• iss(颁发者):标识颁发 JWT 的主体.
• sub(主题):标识作为 JWT 主题的主体.必须是唯一的
• aud(受众):标识 JWT 的目标接收者(字符串数组/uri)
• exp(过期时间):标识过期时间(UTC Unix)，在此之后您必须不再接受此令牌.它应该在发布时间之后.
• nbf(not before):标识 UTC Unix 时间，在此之前不能接受 JWT
• iat(发布时间):标识发布 JWT 的 UTC Unix 时间
• jti(JWT ID):为 JWT 提供唯一标识符.

• iss (issuer): identifies the principal that issued the JWT.
• sub (subject): identifies the principal that is the subject of the JWT. Must be unique
• aud (audience): identifies the recipients that the JWT is intended for (array of strings/uri)
• exp (expiration time): identifies the expiration time (UTC Unix) after which you must no longer accept this token. It should be after the issued-at time.
• nbf(not before): identifies the UTC Unix time before which the JWT must not be accepted
• iat (issued at): identifies the UTC Unix time at which the JWT was issued
• jti (JWT ID): provides a unique identifier for the JWT.

{
    "iss": "stackoverflow",
    "sub": "joe",
    "aud": ["all"],
    "iat": 1300819370,
    "exp": 1300819380,
    "jti": "3F2504E0-4F89-11D3-9A0C-0305E82C3301"
    "context": {
        "user": {
            "key": "joe",
            "displayName": "Joe Smith"
        },
        "roles":["admin","finaluser"]
    }
}

在此处查看替代方案https://stackoverflow.com/a/37520125/6371459

这篇关于在 JWT 中存储什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！