带有JWT的AngularJS或SPA-到期和刷新 [英] AngularJS or SPA with JWT - expiry and refresh

问题描述

我了解登录和JWT发行方面的JWT和单页应用程序的流程.但是，如果JWT即将到期，并且服务器没有针对每个请求发布新的JWT，那么更新的最佳方法是什么?有刷新令牌的概念，但是在Web浏览器中存储这样的东西听起来像是一张金票.

I understand the flow of JWT and a single page application in terms of login and JWT issuance. However, if the JWT has a baked in expiry, AND the server isn't issuing a new JWT on each request, what is the best way for renewing? There is a concept of refresh tokens, but storing such a thing in a web browser sounds like a golden ticket.

IE，我可以轻松地进入浏览器的本地存储并窃取刷新令牌.然后，我可以去另一台计算机并给自己发行新的令牌.我觉得在JWT中引用的数据库中需要有一个服务器会话.因此，服务器可以查看会话ID是否仍处于活动状态或是否由刷新令牌使之无效.

IE I could easily go into a browsers local storage and steal a refresh token. Then I could go to another computer and issue myself a new token. I feel like there would need to be a server session in a db that's referenced in the JWT. Therefore the server could see if the session ID is still active or invalidated by a refresh token.

在用户处于活动状态时，在SPA中实现JWT并处理新令牌发行的安全方法是什么?

What are the secure ways to implement JWT in a SPA and handling new token issuance whilst the user is active?

推荐答案

如果您的服务器中没有其他限制需要检查1，则每15分钟更新一次令牌(如果令牌可以使用30天)是可行的闲置1小时以注销用户.如果您只是想让这个短暂的JWT并继续进行更新，那就可以了.

Renewing the token every 15 minutes (if it lives for 30) works if you don't have another restriction in your server in which you need to check for 1 hour inactivity to log the user out. If you just want this short lived JWT and keep on updating it, it'd work.

我认为使用JWT的一大优点是实际上不需要服务器会话，因此不使用JTI.这样，您根本不需要同步，因此这是我建议您遵循的方法.

I think one of the big advantages of using JWT is to actually NOT need a server session and therefore not use the JTI. That way, you don't need syncing at all so that'd be the approach I'd recommend you following.

如果您要强制注销不活动的用户，只需将JWT设置为在一小时内到期即可.有一个$ interval，它每隔约50分钟会根据旧的IF自动获得一个新的JWT，如果在最近50分钟内至少执行了一次操作(您可以有一个请求拦截器，它仅对请求进行计数以检查他是否处于活动状态)就是这样.

If you want to forcibly logout the user if he's inactive, just set a JWT with an expiration in one hour. Have a $interval which every ~50 minutes it automatically gets a new JWT based on the old one IF there was at least one operation done in the last 50 minutes (You could have a request interceptor that just counts requests to check if he's active) and that's it.

这样一来，您不必将JTI保存在数据库中，也不必进行服务器会话，并且这种方法也不比其他方法差很多.

That way you don't have to save JTI in DB, you don't have to have a server session and it's not a much worse approach than the other one.

您怎么看?

这篇关于带有JWT的AngularJS或SPA-到期和刷新的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！