在JWT中存储什么? [英] What to store in a JWT?

问题描述

你们如何在多个设备上与同一个用户打交道?除了更改它的设备之外，{admin: true}之类的数据是否不会过时?

How do you guys deal with the same user on multiple devices? Won't data such as {admin: true} become stale except for the device that changed it?

这甚至应该放在JWT中吗?如果不是这样，而我们只求助于放置用户ID，那会不会像基于cookie的会话一样，因为我们将状态存储在服务器上了?

Should this even be in a JWT? If not, and we resort to only putting the user ID, won't that be just like a cookie-based session since we store the state on the server?

推荐答案

JWT RFC 稳定三类索赔:

The JWT RFC stablish thre classes of claims:

• 已注册的声明，例如sub，iss，exp或nbf

公开声明，具有公开名称或已注册的名称IANA 的名称，其中包含唯一的值，例如email，address或phone_number.请参见完整列表

Public claims with public names or names registered by IANA which contain values that should be unique like email, address or phone_number. See full list

私人声明以在您自己的上下文中使用，并且值可能会冲突

Private claims to use in your own context and values can collision

这些声明都不是强制性的

None of these claims are mandatory

JWT是独立的，应避免使用提供必要数据以执行身份验证的服务器会话(无需服务器存储和数据库访问).因此，role信息可以包含在JWT中.

A JWT is self-contained and should avoid use the server session providing the necessary data to perform the authentication (no need of server storage and database access). Therefore, role info can be included in JWT.

在使用多种设备时，有多种原因在到期前撤销令牌，例如，当用户更改密码，权限或被admin删除的帐户时.在这种情况下，您需要黑名单或其他机制来拒绝令牌

When using several devices there are several reasons to revoke tokens before expiration, for example when user changes password, permissions or account deleted by admin. In this case you would need a blacklist or an alternative mechanism to reject the tokens

黑名单可以包含令牌唯一ID jti，也可以在更新用户的关键数据(密码，权限等)和currentTime - maxExpiryTime < last iss之后简单地设置一个条目(sub-iss).当currentTime - maxExpiryTime > last_modified(不再发送未过期的令牌)时，该条目可以被丢弃.

A blacklist can include the token unique ID jti or simply set an entry (sub - iss) after updating critical data on user (password, persmissions, etc) and currentTime - maxExpiryTime < last iss. The entry can be discarded when currentTime - maxExpiryTime > last_modified (no more non-expired tokens sent).

以下声明名称已在由建立的IANA"JSON Web令牌声明"注册表中注册. 10.1节

• iss(发布者):标识发布JWT的主体.
• sub(主题):标识作为JWT主题的主体.必须是唯一的
• aud(受众):标识JWT的收件人(字符串/uri数组)
• exp(到期时间):标识到期时间(UTC Unix)，之后您必须不再接受该令牌.应该在发布时间之后.
• nbf(不早于):标识不得接受JWT的UTC Unix时间
• iat(发布日期):标识发布JWT的UTC Unix时间
• jti(JWT ID):为JWT提供唯一的标识符.

• iss (issuer): identifies the principal that issued the JWT.
• sub (subject): identifies the principal that is the subject of the JWT. Must be unique
• aud (audience): identifies the recipients that the JWT is intended for (array of strings/uri)
• exp (expiration time): identifies the expiration time (UTC Unix) after which you must no longer accept this token. It should be after the issued-at time.
• nbf(not before): identifies the UTC Unix time before which the JWT must not be accepted
• iat (issued at): identifies the UTC Unix time at which the JWT was issued
• jti (JWT ID): provides a unique identifier for the JWT.

{
    "iss": "stackoverflow",
    "sub": "joe",
    "aud": ["all"],
    "iat": 1300819370,
    "exp": 1300819380,
    "jti": "3F2504E0-4F89-11D3-9A0C-0305E82C3301"
    "context": {
        "user": {
            "key": "joe",
            "displayName": "Joe Smith"
        },
        "roles":["admin","finaluser"]
    }
}

在此处查看替代方法 https://stackoverflow.com/a/37520125/6371459

这篇关于在JWT中存储什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！