asp.net URI中的JWT核心查询参数? [英] asp.net core JWT in uri query parameter?

问题描述

我有一个受JWT和Authorize属性保护的api，在客户端，我使用jquery ajax调用来处理它.

I have an api that is protected by JWT and Authorize attribute and at the client I use jquery ajax call to deal with it.

这很好，但是我现在需要确保文件的下载安全，因此我无法设置标题Bearer值，可以在URI中将其作为url参数吗?

This works fine, however I now need to be able to secure downloading of files so I can't set a header Bearer value, can it be done in the URI as an url parameter?

=-=-=-=-

更新:这是我最终针对自己的方案所做的事情，这是一个内部项目，数量很少，但是安全性很重要，将来可能需要扩展:

UPDATE: This is what I ended up doing for my scenario which is an in-house project and very low volume but security is important and it might need to scale in future:

当用户登录时，我会生成一个随机下载密钥，并将其与JWT的到期日期一起放入数据库的用户记录中，然后将下载密钥返回给客户端.如果有一个具有下载密钥的查询参数并且该密钥存在于用户记录中并且尚未过期，则下载路径受保护仅允许下载.这样，dl密钥对每个用户都是唯一的，只要用户的auth会话有效且可以轻松吊销，该密钥就有效.

When user logs in I generate a random download key and put it in their user record in the db along with the expiry date of their JWT and return the download key to the client. The download route is protected to only allow a download if there is a query parameter that has the download key and that key exists in the user records and that expiry date has not passed. This way the dl key is unique per user, valid as long as the user's auth session is valid and can be revoked easily.

推荐答案

尽管在技术上可以在URL中包含JWT，但强烈建议不要 strong .请参见此处的引文，其中说明了原因这是个坏主意:

Although it is technically possible to include a JWT in the URL, it is strongly discouraged. See the quote from here, which explains why it's a bad idea:

请勿在页面网址中传递承载令牌:承载令牌不应为 传入页面URL(例如，作为查询字符串参数). 相反，承载令牌应该在HTTP消息头中传递，或者 采取机密措施的邮件正文.浏览器 网络服务器和其他软件可能无法充分保护网址中的网址 浏览器历史记录，Web服务器日志和其他数据结构.如果持票人 令牌是通过页面URL传递的，攻击者可能能够窃取它们 从历史记录数据，日志或其他不安全的位置.

Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.

但是，如果您别无选择或者只是不在乎安全性实践，请参阅 Technetium的答案.

However, if you have no choice or just don't care about security practices, see Technetium's answer.

这篇关于asp.net URI中的JWT核心查询参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！