多个网站的 JWT 令牌 [英] JWT token for multiple websites

问题描述

如何在多个网站之间共享一个 JWT 令牌.我假设第一件事是在所有网站上都有相同的秘密.

How can I have a single JWT token be shared among multiple websites. I assume that the first thing would be to have the same secret on all websites.

如果用户在站点 A 上登录并生成一个令牌，我想在完全不同的域上为站点 B 使用相同的令牌.

If user logs in on site A and a token is generated I want to use the same token for website B on a totally diferent domain.

可以吗?

推荐答案

您可以完成您想要的，但不能使用 单个 JWT 令牌.JWT 令牌用于受众 (aud) 声明所指示的特定服务或应用程序.您不能将相同的令牌用于其他应用程序或服务.

What you want can be done, but not with a single JWT token. A JWT token is intended for a certain service or application indicated by the audience (aud) claim. You cannot use the same token for another application or service.

如果用户登录，通常会发生什么使您的 SSO 方案正常工作到令牌发行(授权)服务器.只要该会话有效，用户就可以获得服务器可以为其颁发令牌的所有应用程序的令牌.

What typically happens to make your SSO scenario work, it that the user logs in to the token issuing (authorization) server. As long as that session is valid, the user can acquire tokens for all applications the server can issue tokens for.

所以，当用户登录到第一个应用程序时，授权服务器会设置一个 cookie 来建立会话.当用户导航到第二个应用程序时，应用程序将他/她重定向到授权服务器进行身份验证.授权检测到会话 cookie，不会提示用户再次登录，而是为第二个应用程序发出新的 JWT 令牌.

So, when the user logs in to the first application, the authorization server sets a cookie to establish a session. When the user navigates to the second application, the application redirects him/her to the authorization server for authentication. The authorization detects the session cookie and does not prompt to user to log in again, but issues a new JWT token for the second application.

这篇关于多个网站的 JWT 令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！