JWT:如何在用户打开新标签页时处理GET请求? [英] JWT: how to handle GET requests when user opens a new tab?
问题描述
在以API为中心的应用程序上使用JWT over Cookies有很多优点,我理解您可以在通过浏览器访问应用程序时将令牌存储在sessionStorage上。
您可以在您的JS代码上设置拦截器,以便在GET请求的授权标头上插入JWT令牌 - 只要这些GET请求是通过对用户进行身份验证的相同代码。
There is a lot of advantages when using JWT over Cookies on API-centric apps and I understand that you can store the token on sessionStorage when accessing the app via a browser. You can set an interceptor on your JS code to inject the JWT token on Authorization header for GET requests -- as long as these GET requests are being made from the same code that authenticated the user.
但是,当用户通过身份验证时会发生什么,然后打开一个新标签页并尝试访问应用程序/网站的其他限制区域(甚至是同一区域)?在这种情况下,没有拦截器将令牌插入新选项卡上的授权头。我想服务器将收到GET请求,在Authorization头上寻找一个JWT令牌,并且不会找到它,拒绝该请求。
But what happens when the user is authenticated, then opens a new tab and tries to access a different restricted area (or even the same area) of the app/site? In this case, there is no interceptor to inject the token on the Authorization header on the new tab. I suppose the server will receive the GET request, look for a JWT token on the Authorization header and will not find it, rejecting the request.
当您使用Cookies时,它们总是由浏览器本地发送,您不必担心新的选项卡和身份验证。
When you are using Cookies, they are always sent by the browser natively and you don't have to worry about new tabs and authentication.
有一种方法可以为全局设置授权头域在浏览器上的用户在第一个选项卡验证的时刻?
Is there a way to set up the Authorization header globally for the domain on the browser the moment the user authenticates in the first tab? What are the usual solutions for this matter, if any?
推荐答案
在访问受保护的URL时没有正确的凭据(如JWT )浏览器将被重定向到特定的端点(例如在授权服务器上),在那里它可以得到一个新的JWT。
Upon accessing a protected URL without the right credentials (like a JWT) the browser would be redirected to a specific endpoint (e.g. on the Authorization Server) where it can get a new JWT.
这发生在例如OpenID Connect Implicit流: http://openid.net/specs/openid-connect-implicit-1_0.html
This happens for example in the OpenID Connect Implicit flow: http://openid.net/specs/openid-connect-implicit-1_0.html
但是也可以将JWT存储在cookie中。这不是一种标准化的方式来呈现JWT,因此它将特定于您的客户端/浏览器和受保护的应用程序。
But it would also be possible to store the JWT in a cookie. That's just not a standardized way of presenting JWTs so it would be specific to your client/browser and the protected application.
这篇关于JWT:如何在用户打开新标签页时处理GET请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
