将JWT存储在数据库中是否有意义? [英] Does it make sense to store JWT in a database?

问题描述

我已经用Spring Boot，Spring Security，OAUTH2和JWT作为身份验证令牌实现了基本的身份验证系统.一切正常，但是我在考虑是否将JWT存储在数据库中并在每次有人使用它进行身份验证的请求时检查令牌是否存在?我在特别考虑以下情况:用户在移动设备中进行了身份验证，并且丢失了该用户，因此希望取消对该设备的授权.然后，他们将能够发出一项操作，以清除颁发给其用户ID的令牌，并取消对分配给他的所有令牌的授权.还有其他方法吗?我是在想这是错还是使事情复杂化了?

I've implemented a basic authentication system with Spring Boot, Spring Security, OAUTH2 and JWT as auth tokens. It works alright but I was thinking if it makes sense to store JWT in a database and check if a token exists every time someone makes an authenticated request using it? I was thinking specifically of the following scenario: user is authenticated in a mobile device and they lose it so they want to deauthorize that device. They would then be able to issue an operation that clears the tokens issued to their user id and deauthorize all tokens assigned to him. Any other way? Am I thinking this wrong or overcomplicating things?

这是为了保护将要从移动APP调用的REST API.

This is for securing a REST API that is going to get called from a mobile APP.

推荐答案

您可以将JWT存储在数据库中，但会失去JWT的某些优势. JWT的优点是您无需每次都在db中检查令牌，因为您可以使用加密技术来验证令牌是否合法.如果必须在数据库中查找令牌，则最好使用不携带信息的不透明令牌，并让服务器和数据库为您提供信息.另一方面，如果您要将令牌存储在数据库中，我认为对于您的令牌类型，JWT并不是一个坏选择.如您所说，如果将令牌存储在数据库中，则有撤销的优势.这完全取决于您要实现的目标(更快的授权等，以及按需撤消的能力).

You could store the JWT in the db but you lose some of the benefits of a JWT. The JWT gives you the advantage of not needing to check the token in a db every time since you can just use cryptography to verify that the token is legitimate. If you have to look up the token in the db, you might as well just use an opaque token that doesn't carry information with it and let the server and database provide you with the information. On the other hand, if you're going to store a token in the db, I don't think a JWT is a bad choice for your token type. As you say, there are advantages for revocation if you store your token in the db. It all depends on what you want to achieve (faster authorization, etc. vs ability to revoke on demand).

如果需要，您仍然可以将JWT与OAuth2一起使用，而无需在数据库中存储令牌. JWT具有可以设置的可配置到期时间，在此之后它们将无效.为了安全起见，访问令牌(无论是否为JWT)通常应短暂存在.如果担心某人的电话被盗并获得访问令牌，我认为解决方案是使这些令牌快速过期(30分钟?).如果您使用的是oauth2，则阻止某人继续使用该应用程序的方法是让真正的所有者在授权服务器上取消对移动应用程序客户端的授权，以便不再提供访问令牌.

You can still use JWT with OAuth2 without storing tokens in the db if you want. JWTs have a configurable expiry time that you can set--after which they are invalid. Access Tokens (whether JWT or not) should usually be short-lived for security. If the concern is someone's phone being stolen and access tokens being obtained, I think the solution is to have those tokens expire quickly (30 mins?). If you're using oauth2, the means of stopping someone from continuing to use the app is for the real owner to de-authorize the mobile app client on the authorization server so that no more access tokens will be given out.

这篇关于将JWT存储在数据库中是否有意义?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！