OpenID的连接与无国籍JWT令牌 [英] OpenID Connect with stateless JWT Tokens

问题描述

我想在组合使用自托管OpenID的连接（OIDC）服务器作为智威汤逊授权令牌（在OIDC条款访问令牌）。 JWT将用于保护REST服务而用户界面是古典与单页应用程序（角）的混合。通过这种方式，其余层将能够做基于无状态JWT令牌所以没有多余的数据库连接是必要的授权，如下所述：

I would like to use a self-hosted OpenID Connect (OIDC) server in a combination with JWT as an authorization token (access token in OIDC terms). JWT would be used to protect REST services while the UI are a mix of classical and single-page applications (Angular). This way, the REST layer would be able to do the authorization based on a stateless JWT token so no extra DB connections are necessary, as described here:

<一个href=\"https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/\">https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/

有关单页的应用程序，OIDC隐流为宜。但是，我看到时隐流是与无国籍JWT令牌结合使用的安全问题：令牌传递作为URL片段的一部分，这意味着没有办法删除它们（他们在浏览器历史记录容易获得的），也不是无效他们（它们是无状态的） - >没有可能注销

For a single page app, OIDC Implicit Flow is appropriate. However, I see a security problem when Implicit Flow is used in combination with stateless JWT tokens: Tokens are delivered as a fragment part in the URL which means there is no way to remove them (they are easily available in the browser history) nor invalidate them (they are stateless) -> no logout possible.

我看到2个选项，以减轻这样的：

I see 2 options to mitigate this:

1. 使用一个非常短暂的令牌（最高可达数分钟）。这可能会极大地阻碍了可用性。


2. 通过AJAX的方式使用授权code流动。这是不会OIDC兼容的，但会做出注销尽可能令牌不会在URL中暴露出来。

1. Use a very short-lived tokens (max up to several minutes). This may dramatically hinder usability.
2. Use an authorization code flow by the means of AJAX. This is not OIDC-compliant but would make a logout possible as tokens would not be exposed in the URL.

第三个选择是放弃无国籍JWT令牌和使用简单的承载令牌与DB检查。

The third option would be to give up stateless JWT tokens and use simple bearer tokens with DB checks.

难道我错过了什么？你会选择什么？

Do I miss something? What would you choose?

推荐答案

有人可能会说关于浏览器的历史结束了碎片的风险，但简单不透明承载令牌会受到你描述JWT相同的限制令牌

one may argue about the risk of fragments ending up in browser history, but "simple" opaque bearer tokens would be subject to the same limitations that you describe for JWT tokens

使用的AJAX一个code流肯定是由OpenID的连接规格pvented所以你可以只使用，并非$ P $;隐流只适用于浏览器客户端的建议，因为它优化了往返的次数来获得令牌的用户代理

using a code flow with AJAX is certainly not prevented by the OpenID Connect specification so you could use just that; the implicit flow is only a recommendation for in-browser clients as it optimizes the number of round-trips to get a token to the user agent

这篇关于OpenID的连接与无国籍JWT令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！