什么是基于令牌的身份验证? [英] What is token-based authentication?

问题描述

我想了解基于令牌的身份验证的含义.我搜索了互联网，但找不到任何可以理解的东西.

I want to understand what token-based authentication means. I searched the internet but couldn't find anything understandable.

推荐答案

我认为

I think it's well explained here -- quoting just the key sentences of the long article:

基于令牌的身份验证系统是 简单的.允许用户输入他们的 用户名和密码，以便 获取令牌，使他们能够 获取特定资源-不 使用他们的用户名和密码. 一旦获得他们的令牌， 用户可以提供令牌- 提供对特定资源的访问 在一段时间内-到达遥控器 网站.

The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site.

换句话说:添加一个间接身份验证级别-无需为每个受保护的资源使用用户名和密码进行身份验证，用户只需以这种方式进行一次身份验证(在有限持续时间的会话内)，并获得时间限制令牌返回，并在会话期间使用该令牌进行进一步的身份验证.

In other words: add one level of indirection for authentication -- instead of having to authenticate with username and password for each protected resource, the user authenticates that way once (within a session of limited duration), obtains a time-limited token in return, and uses that token for further authentication during the session.

优势很多-例如，用户可以在获得令牌后将令牌传递给其他一些他们愿意在有限的时间和有限的资源范围内信任的自动化系统，但是不不愿意使用其用户名和密码(即，允许他们永久或至少直到他们更改密码之前访问的所有资源)信任他们.

Advantages are many -- e.g., the user could pass the token, once they've obtained it, on to some other automated system which they're willing to trust for a limited time and a limited set of resources, but would not be willing to trust with their username and password (i.e., with every resource they're allowed to access, forevermore or at least until they change their password).

如果仍然不清楚，请编辑您的问题以澄清您对100％不清楚的地方，我相信我们可以为您提供进一步的帮助.

If anything is still unclear, please edit your question to clarify WHAT isn't 100% clear to you, and I'm sure we can help you further.

这篇关于什么是基于令牌的身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！