JWT令牌SSO流 [英] JWT token SSO flow

问题描述

关于JWT的SSO流，我有一个简单的问题

I have a simple question about SSO flow with JWT

比方说，我们有单独的授权服务器，它向客户端应用程序/服务器和资源服务器提供JWT，客户端在其中尝试使用该令牌进行访问.

Let's say we have separate Authorization Server, which provides the JWT to the client app/server and Resource server, where client trying to access with that token.

问题是，资源服务器应自行验证令牌(例如与Auth Server共享私有证书)还是应请求Auth Server为每个客户端请求验证JWT?

The question is, should Resource server validate token by itself (e.g. share private certificate with Auth Server) or should it request Auth Server to validate JWT for each client request?

推荐答案

JWT规范是在考虑可扩展性的基础上构建的. JWT设计的目的是使任何受信任的应用程序都可以验证签名块.如果您关心性能，请使用SHA-256 HMAC，并使用共享密钥在每个端点上本地验证签名.对JWT使用非对称签名会产生开销，但是您可以将公钥存储在验证但不发行JWT的端点上，然后将私钥存储在发行令牌的中央机构上.验证和发行之间的这种关注分离减少了对手可以破坏令牌创建过程的可能性(请参阅:纵深防御).

The JWT specification was built with scalability in mind. The purpose of JWT's design is that any trusted app can validate a the signature block. If you care about performance then use a SHA-256 HMAC and validate the signature locally on each endpoint with a shared secret. Using an asymmetric signature for JWT creates overhead, but you can store the public key on endpoints that verify but not issue JWT, and then the private key on the central authority that issues tokens. This separation of concern between validation and issuing reduces the possibilities that the token creation process can be subverted by an adversary (Read: Defense-in-depth).

如果您需要实时吊销令牌，则需要一个中央机构来验证每个令牌.这种方法行得通，但是却违背了JWT设计的目的，而系统最好只发行一个加密随机数作为令牌.

If you need to revoke tokens in real time, then need a central authority which validates each token. This works, but it defeats the purpose of JWT's design, and the system would be better off just issuing a cryptogrpahic nonce as the token.

这篇关于JWT令牌SSO流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！