可以将用户凭据存储在 JWT 中吗 [英] Is it ok to store user credentials in the JWT

问题描述

是否可以将用户凭据(用户名/密码)存储在 JWT 中(所以 sign 并稍后 verify 结果令牌)?

我

然后，对于每个请求，我都会使用包含我的用户名和服务的编码 JWT

• 如果 JWT 标志有效，则执行授权(Gabriel 有权做什么?).
• 如果 JWT 已过期，请让我重新登录
• 如果标志损坏，则返回身份验证错误.

Is it ok to store user credentials (username / password) in the JWT (so sign it and verify the resulted token later)?

I heard that

No, it is not secure to send a password in a JWT. This is because the JWT claims are simply encoded and can easily be decoded by anyone that sees them. It is not secure to store any sensitive information in a JWT that returned to a user

but I don't know why does the JWT website recommends using it for authentication purposes then:

When should you use JSON Web Tokens?

Here are some scenarios where JSON Web Tokens are useful:

Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains

解决方案

The JWT is the result of the authentication. For example

1. User sends his credentials (e.g. username/password) to an authentication service. It could be a third party one or one inside your monolith or your own microservices dedicated to authentication.
2. The service validates username-password. If authentication success it returns an JWT that represents that the user is already authenticated, in other words he is who claim he is. This JWT could contain a payload without sensitive information (don't store the password here).
3. The user sends another request to a service business with the JWT. If the JWT isn't expired and is not corrupted (the sign is still valid) then the service could trust in its JWT. Maybe this task will be delegated to an authorization service.

What is inside the JWT token?

Well, the simplest JWT contains information about the sign (I can't enter in much detail here because I'm not a security expert) that allows to check if the sign has been corrupted when a request with the JWT is received.

This information can be verified and trusted because it is digitally signed

Besides that, the JWT allows to send a payload.

More formally, the JWT is composed by:

• Header: type of the token + hashing algorithm being used
• Payload: Claims are statements about an entity (typically, the user) and additional metadata.
• Signature: The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

For example, if I send a request to a authentication service with my credentials username:password being gabriel:giussi, it will check these credentials and if they're OK it could create the following JWT:

Then with every request I will then the encoded JWT that contains my username and the service will

• Perform authorization (What Gabriel is authorized to do?) if the JWT sign is valid.
• Ask me to login again if the JWT has expired
• Return an authentication error if the sign is broken.

这篇关于可以将用户凭据存储在 JWT 中吗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！