是否应该对jwt Web令牌进行加密? [英] Should jwt web token be encrypted?
问题描述
我正在阅读有关作为响应用户的访问令牌的JWT Web令牌的文章.其中有些提到Web令牌应该能够由用户解码.
I was reading article on JWT web token as an access token that is being response to the user. Some of it mention that the web token should be able to be decoded by the user.
这是否意味着解密整个Web令牌不是一个好习惯?例如,我假设将以下JWT Web令牌返回给用户,在此用户中可以解码此信息.
Does it means that it is not a good practice to decrypt the entire web token? For example, I suppose to return following JWT web token to user where this piece of information can be decoded.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
但是,我觉得我不想让用户能够解码他/她的访问令牌,因此我使用了另一种加密算法,将所有内容加密成如下形式并传递给用户.
However, I feel that I do not want to let user able to decode his/her access token, so I use another encryption algorithm to encrypt everything into another form as follow and pass back to user.
因此,当我在服务器中获得此访问令牌并对其进行解码时,我将解密此新文本.
So, I would decrypt this new text when I'll get this access token in the server and decode it.
如果我不希望向用户公开声明中的某些可用值(例如用户ID),是否建议以这种方式进行操作?如果没有,那还有什么选择?
Is it recommended to do it this way if I do not wish to expose some of the value available in claim (such as user id) to the user? If not, what are the alternatives?
推荐答案
JWT( RFC7519 )只是一种通过HTTP安全地将发布者的声明发送给受众的紧凑方式.
JWT (RFC7519) is just a compact way to safely transmit claims from an issuer to the audience over HTTP.
JWT可以是:
- signed (JWS - RFC7515)
- encrypted (JWE - RFC7516)
- signed then encrypted (this order is highly recommended). The whole JWS is the payload of the JWE
- encrypted then signed.
如果您想使敏感信息对承载者(客户端)或第三方隐藏,那么对JWS进行加密是很有意义的.
It makes sense to encrypt a JWS if you want to keep sensitive information hidden from the bearer (client) or third parties.
真正的问题是:观众是否支持JWE?如果可以,支持哪些算法?
The real questions are: does the audience support JWE? If yes, which algorithms are supported?
这篇关于是否应该对jwt Web令牌进行加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
