在Angular中进行令牌验证的最佳方法 [英] Best Way For Token Validation in Angular
问题描述
在使用AngularJS进行身份验证目的使用令牌验证的WebApp开发中,进行此验证的最佳方法是什么?例如:
In a WebApp development with AngularJS which uses token validation for authentication purposes, what's the best way to do this validation? For example:
- 每次进行路线转换时都要验证令牌.为此,我每次想验证时都要打个电话.
- 仅一次验证令牌并进行一次剩余调用,然后将令牌存储在本地存储中. (令牌本身只是一个布尔值,告诉它是否已通过身份验证)
我担心的是不要在每个路由事务中都进行休息呼叫,我不想消耗那么多的HTTP流量.但是,如果没有其他方法,我会这样做.
My concern is to not make a rest call in every route transaction, I don't want to consume that much of http traffic. But, if there isn't another way, I will do that.
推荐答案
如果我们研究 JSON Web令牌(JWT)是(尽管您并不是专门指代JWT,而只是指代币),您将意识到,一旦获得了JWT,您就不需要每次在JWT中进行转换时都对其进行验证.客户端应用(角度).这是因为JWT通常是经过签名的,因此服务器可以确保发件人(在本例中为Angular应用)在发出请求时即表示自己是谁.
If we look into what a JSON Web Token (JWT) is (although you're not specifically referring to JWT, but simply to "token"), you will realize that once you got a JWT you do not need to validate it every time you make a transition in the client app (Angular). This is because JWT are usually signed, so the server can be sure the senders (in this case the Angular app) are who they say they are when they make a request.
您需要做的是,每当您尝试消耗资源时,就将标头中每个请求上的JWT发送到API服务器.服务器负责检查您是否正在发送有效的JWT,并为该请求分配适当的权限,以便获得对资源的访问.
What you need to do is to send the JWT on every request in a header to the API server every time you try to consume a resource. The server is in charge of checking that you are sending a valid JWT and to assign the proper permissions to that request in order to get access to the resources.
结论(并回答您的问题)
1.每次我进行路线转换时都要验证令牌.为此,我 每当我想验证时都必须打个电话.
1.Validate the Token every time I have a route transition. For this I have to make a rest call for every time I want to validate.
否,这是没有用的,因为给定令牌已由服务器签名.如果以任何方式在客户端中对令牌进行操作,资源服务器将知道该令牌,并使用正确的HTTP状态代码进行应答(通常 401 HTTP状态).
No, this is useless, since the given token is already signed by the server. If the token is manipulated in the client in any way the resource server will know it and will answer with the proper HTTP Status Code (usually a 401 HTTP Status).
您可以做的是,如果服务器用401响应,则可以使用刷新令牌(如果服务器提供的话),以获取新的访问令牌,并在每次请求时再次使用它.这样,最终用户将永远不会知道幕后发生的事情(并且不会再看到登录表单),因为您不会再询问他/她有关用户名和密码的情况.
What you can do is, in case the server respond with a 401, you can use a Refresh Token (if the server provides it) in order to get a new access token and use it again on every request. This way the final user will never know what's going on behind scenes (and won't see a login form again) because you won't ask him/her again about the username and password.
2.仅一次验证令牌,并进行一次剩余调用,然后将令牌存储在本地存储中. (令牌本身只有一个布尔值 告诉它是否已通过验证)
2.Validate the token just one time, with one rest call, and then store the token in local storage. (The token itself just have a boolean telling if it is authenticated or not)
这是一种正确的方法(大多数人都使用过),这样您就不会因不必要的请求而使流量超载.实际上,当您获得访问令牌时,您不需要验证它,因为正如我在令牌本身是自包含之前所说的那样(它包含有关用户的所有必需信息和其他必需数据).令牌提供商认为重要).
This is a correct approach (and used by most people), this way you do not overload the traffic with unnecessary requests. Actually, when you get the access token, you do not need to validate it because as I said before the token itself is Self-contained (it contains all the required information about the user and other necessary data the token provider considers important).
如果我是您,我会读到很多关于此的内容,因为除了在此处的某个答案中,任何回答者可以将哪些内容组合在一起之外,还有更多的知识要知道(我在我使用过的资源上放置了一些链接,以及哪些链接很好地描述这些主题.
If I were you I would read a lot about this since there is much more to get to know than what any answerer can put together in a single answer here on SO (I put some links to sources I've used and which describe pretty well these topics).
请记住,所有这些行为都可以根据您的需要进行修改,而并非所有行为都必须是我刚才描述的方式.我只是举了一些例子.
Bear in mind that all theses behaviors can be modified according to your needs and not all of them have to be the way I just described. I just put some examples of how it could be.
下面的图片将为您提供有关我刚才描述的所有这些问题的全景.
The image below will give you a big picture about all these matters I just described.
这篇关于在Angular中进行令牌验证的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
