在JWT中设置角色是否是最佳做法? [英] Is setting Roles in JWT a best practice?

问题描述

我正在考虑使用JWT.在 jwt.io示例中，我在有效负载数据中看到以下信息:

I am considering to use JWT. In the jwt.io example I am seeing the following information in the payload data:

"admin": true

可以将管理员视为一个角色，因此是我的问题.在令牌有效载荷中设置角色是一种习惯/良好做法吗?鉴于角色可以动态修改，所以我很有疑问.

Admin can be considered as a Role, hence my question. Is setting the role in the token payload a habitual/good practice? Given that roles can be dynamically modified, I'm quite interrogative.

推荐答案

如果对客户有用，没有什么阻止您创建将额外信息存储在令牌中的声明.

Nothing stops you from creating claims to store extra information in your token if they can be useful for your client.

但是，我仅依赖JWT进行身份验证(调用者是谁).如果您需要执行授权(呼叫者可以执行的操作)，请从持久性存储中查找呼叫者的角色/权限，以获取最新的价值.

However I would rely on JWT only for authentication (who the caller is). If you need to perform authorization (what the caller can do), look up the caller roles/permissions from your persistent storage to get the most updated value.

对于短暂的令牌(例如，在微服务集群中传播身份验证和授权时)，我发现在令牌中具有角色很有用.

For short-lived tokens (for example, when propagating authentication and authorization in a microservices cluster), I find it useful to have the roles in the token.

这篇关于在JWT中设置角色是否是最佳做法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！