JWT方法中的自定义刷新令牌方法 [英] custom refresh token method in JWT method
问题描述
根据本文 http://www.jianshu.com/p/b11accc40ba7 保护JWT的一种方法是refreshToken:
according to this article http://www.jianshu.com/p/b11accc40ba7 one method to secure the JWT is refreshToken:
在中心身份验证服务器中,我们维护一个像这样的表:
in center auth server, we maintain a table like this:
table auth_tokens(
user_id,
jwt_hash,
expire
)
以下是工作流程:
用户通过电话请求登录API,然后我们对其进行了验证,然后auth服务器发送一个令牌,然后注册该令牌(在表中添加一行.)
User request the login API with phone and we verified it, after that, the auth server send one token, and register the token ( add one row in the table. )
当令牌过期时,用户请求使用旧令牌的交换API.首先,身份验证服务器会正常验证除过期检查外的旧令牌,然后再创建令牌哈希值,然后按用户ID在表上方查找:
When the token expired, user request the exchange API with the old token. Firstly the auth server validate the old token as normal except expire checking, then create the token hash value, then lookup above table by user id:
-
a.如果找到的记录与user_id和jwt_hash匹配,则发出新记录 令牌并更新表.
a. If found record and user_id and jwt_hash is match, then issue new token and update the table.
b.如果找到记录,但user_id和jwt_hash不匹配,则表示 有人曾经使用过令牌交换过的新令牌.令牌是 遭到黑客入侵,通过user_id删除记录,并通过警报进行响应 信息.
b. If found record, but user_id and jwt_hash is not match , it means someone has use the token exchanged new token before. The token be hacked, delete records by user_id and response with alert information.
c.如果未找到记录,则用户需要再次登录或仅输入密码. 使用时更改密码或注销,请按用户ID删除记录.
c. if not found record, user need login again or only input password. when use changed the password or login out, delete record by user id.
要连续使用令牌,合法用户和黑客都需要连续交换新令牌,但是只有一个可以成功,一旦失败,则都需要在下一次交换时再次登录.
To use token continuously ,both legal user and hacker need exchange new token continuously, but only one can success, when one fail, both need login again at next exchange time.
因此,如果黑客获得了令牌,则可以在短时间内使用它,但是如果合法用户下次交换新令牌,则不能交换新令牌,因为令牌的有效期较短,因此具有更高的安全性.
So if hacker got the token, it can be used short time, but can't exchange new one if legal user exchanged new one next time, because the token valid period is short, it is more security.
如果没有黑客,普通用户也需要定期(例如每30分钟)交换新令牌,就像自动登录一样.额外的负担不高,我们可以调整应用程序的到期时间.
If there is no hacker, normal user also need exchange new token periodically ,such as every 30 minutes, this is just like login automatically. The extra load is not high and we can adjust expire time for our application.
,但请想象一下这个变奏:
例如,黑客获得了Bob的令牌,他知道Bob在1:00到6:00睡觉, 因此,黑客可以在晚上连续使用该令牌,直到第二天鲍勃起床并使用该应用程序.
For example, a hacker got the Bob's token, and he knows Bob is sleep at 1:00 am to 6:00 am, So, the hacker can use the toke at night continuously until Bob get up next day and use the application.
一个解决方案是在晚上,用户应输入用户并通过而不是令牌,但这在我看来不是一个好的解决方案! 你知道更好的解决方案吗?
one solution is at the night, user should enter user and pass instead of token but this is not good solution in my idea! do you know better solution?
预先感谢
推荐答案
此解决方案具有很多缺点,并且没有什么优点:
This solution is full of drawbacks and few advantages:
-
需要服务器存储空间.您失去了JWT的无状态性.即使对于永远不会被撤销的令牌
require server storage. You loose JWT statelessness. Even for token that never are going to be revoked
令牌,实际上,可以永远使用,只需刷新旧的
tokens, in fact, can be used for ever just refreshing with the old one
每个用户一个令牌表示一个且只有一个使用该API的设备.例如,在移动设备上登录将使台式机浏览器中的会话无效
one token per user means one and only one device using the API. For example a login on a mobile device would invalidate a session in a desktop browser
攻击者可以在用户处于睡眠状态(如您所述)时使用令牌
然后,优点:您可以撤销令牌.如果您确实需要它(建议JWT让令牌过期),我相信有简单的方法可以实现它.请参见使客户端JWT会话无效
Then, the advantages: you can revoke a token. If you really need it ( it is recommended for JWT let tokens expire) I believe there are easy ways to implement it. See Invalidating client side JWT session
请注意,您开始质疑有关刷新"令牌的问题,但是后来您描述了一种自定义的刷新和撤消机制,该机制无关紧要.刷新令牌寿命长,持久令牌仅用于获取短期访问令牌
Note that you question started talking about "refresh" tokens, but later you have described a custom mechanism to refresh and revoke which has nothing to do. A refresh token is long lived, persistent an is used only to obtain short lived access tokens
这篇关于JWT方法中的自定义刷新令牌方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
