使用不透明的访问令牌会使我的服务器处于有状态状态吗? [英] Does Using Opaque Access Tokens Make My Server Stateful?
问题描述
我试图在身份验证的上下文中了解静态API中的无状态性.这是场景:
I am trying to understand statelessness in restful APIs in the context of authentication. Here's the scenario:
- 用户登录.
- 服务器验证用户名和密码,并生成不透明的访问令牌.它会缓存与此令牌相关的一些信息,例如,过期时间,userId,此令牌在过期之前是否显式无效等等.
- 令牌已发送给客户端,客户端会在以后的每个请求中发送令牌.
列表项
Fielding的论文将无状态定义为:
Fielding's dissertation defines statelessness as:
"...这样,从客户端到服务器的每个请求都必须包含理解该请求所需的所有信息,并且不能利用服务器上存储的任何上下文.因此,会话状态完全保留在客户端上.
"...such that each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client."
在我的示例中,客户端随每个请求发送令牌,因此满足第一个条件.但是,我的服务器具有与此会话关联的上下文,该上下文存储在会话缓存中.
In my example, the client is sending the token with every request, so the first condition is satisfied. However, my server has a context associated with this session that is stored in the sessions cache.
这会使我的应用程序处于有状态状态吗?
Does this make my application stateful?
如果是,那么只有在使用JWT时才可以实现真正的无状态吗?我正在考虑这个问题,因为JWT相当新,那么架构师如何在发明无状态服务之前就构建真正的无状态服务?
If yes, then is it that true statelessness be achieved only if we are using JWTs? I am pondering upon this as JWTs are quite new, so how were architects building truly stateless services before they were invented?
推荐答案
是的.如果您维护会话,则将状态保存在服务器中,这会使应用程序难以扩展.真正的无状态应用程序可以横向扩展,任何服务器都应该能够处理该请求.
That's right. If you you maintaining the session you are keeping the state in server which makes the application hard to scale. True stateless applications can be scaled out and any server should be able to handle the request.
JWT是一种避免会话的流行方法,所有内容都封装在令牌中,以供任何服务器认证/授权请求并帮助我们实现无状态应用程序,但它们也面临着挑战,但是OpenID connect是认证/授权的新方法
JWT is popular way to avoid sessions and everything is encapsulated inside the token for any server to auth/Authorize the request and help us achieve stateless application, they come with their own challenges however OpenID connect is the new way for Auth/Authorization.
在jwt使应用程序变为无状态之前,我们曾经将会话保留在DB(或共享缓存)中,任何要检查会话的服务器都必须与DB联系.
Before jwt to make application stateless we used to keep session in DB (or Shared Cache) , and any server would like to check the session would have to contact DB.
希望有帮助!
这篇关于使用不透明的访问令牌会使我的服务器处于有状态状态吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
