JWT认证概念 [英] JWT authentication concept
问题描述
我目前正在使用基于JSON Web令牌的身份验证来开发Angular JS应用程序和Node.js服务器(作为API)之间的交互.
I am currently working on an interaction between Angular JS app and Node.js Server (as API) with an authentication based on JSON Web Token.
但是我有一个我自己无法回答的问题:在对JWT服务器端进行编码时,将用户作为有效负载,您如何继续检索客户端的用户信息? 这是一个了解我的问题的小例子:
But I have a question I can't answer by myself : when you encode the JWT server-side putting a user as payload, how do you proceed to retrieve the user information client-side ? Here is a small example to understand my question:
我是基本用户,我将凭据发送到API进行身份验证.作为交换,我收到了JWT令牌,但是我没有关于用户的任何信息,因为只有服务器才具有能够解码JWT令牌的密钥.那么服务器是否需要向我发送例如用户的ID,以便我可以调用我的api用户/ID来获取有关已认证用户的信息?
I am a basic user, I send my credentials to the API for authenticating. In exchange, I receive a JWT token but I don't have any information about the user since only the server has the secret key that is able to decode the JWT token. So does the server need to send me for example the id of the user so that I could call my api user/id for retrieving information about the user authenticated?
推荐答案
您可以通过对每个请求的令牌进行解码来检索用户的信息.因此,在您的示例中,在令牌返回给客户端之后,客户端使用存储在编码令牌中的数据向服务器发出请求,以获取用户的名字和姓氏,该数据与请求一起发送回服务器.发出此GET请求时,可以将令牌作为参数发送.我将使用一个非cookie存储的示例.这是怎么回事:
You retrieve the user's info by decoding the token on each request. So in your example after the token is returned to the client, the client makes a request to the server to grab the user's first and last name using the data stored in the encoded token which is sent along with the request back to the server. When making this GET request, you can send the token as a parameter. I'll use a non-cookie stored example. Here's how it goes down:
- 用户使用其密码和用户名登录
- 服务器对json网络令牌有效载荷进行编码,该有效载荷包含使用secret_key登录的用户的唯一标识符(即user_id).一个示例函数调用可能看起来像这样.
有效载荷= {user_id:35} user_token = JWT.encode(payload,"your_secret_key");
payload = {user_id: 35} user_token = JWT.encode(payload, "your_secret_key");
-
将user_token返回给客户端,并将所述令牌存储在隐藏的html标记或localStorage变量中.使用Angular,我将其存储在localStorage中.
Return the user_token to the client and store said token in a hidden html tag or in a localStorage variable. Using Angular, I'd store it in localStorage.
现在,用户已登录,令牌是客户端,您可以提交包含user_token作为参数的GET请求.请记住,此user_token有效负载包含user_id.
Now that the user is signed_in and the token is client-side, you can submit a GET request that contains the user_token as a parameter. Remember, this user_token payload contains the user_id.
服务器获取参数并解码user_token以从有效负载中获取user_id.
The server gets the parameter and decodes the user_token to get the user_id from the payload.
您使用user_id查询数据库,并以纯json(未编码)形式返回数据(名字和姓氏).
You query the database with the user_id and return the data (first and last name) as plain json, NOT ENCODED.
请记住,示例中唯一要编码的是唯一标识符(user_id).在每个请求上,您都会解码令牌,令牌本身就是身份验证机制.
It's important to remember the only thing to encode in your example is the unique identifier (user_id). On each request you decode the token which itself is the authentication mechanism.
这篇关于JWT认证概念的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
