我需要分别为每个用户管理jwt秘密密钥吗? [英] I need to manage jwt secret keys individually for each user?
问题描述
我使用jsonwebtoken模块实现了jwt身份验证.但是,在生成和验证jwt令牌时,是否需要为每个用户创建和管理任意密钥?为每个用户分别管理密钥与使用一个密钥生成和验证jwt令牌之间有区别吗?
I implemented jwt authentication using the jsonwebtoken module. But do I need to create and manage arbitrary secret keys for each user when generating and verifying jwt tokens? Is there a difference between managing secret keys separately for each user and generating and verifying jwt tokens with one secret key?
推荐答案
不,您使用单个密钥对令牌进行签名.这是因为当令牌在请求中返回给您时,您需要能够对令牌进行解码,并且此时您不知道真正的用户是否在发送您的令牌,因为您尚未验证它
No, you use a single secret key to sign your tokens. This is because when the token comes back to you in a request, you need to be able to decode the token, and at this point you don’t know whether a genuine user is sending your token, because you haven’t verified it yet.
使用单个密钥签名和验证令牌,并记住确保安全.
Use a single key to sign and verify your tokens, and remember to keep it safe.
这篇关于我需要分别为每个用户管理jwt秘密密钥吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!