吊销JWT而没有到期 [英] Revoking JWT with No Expiration
问题描述
我正在寻求对移动应用程序使用基于令牌的身份验证,以使用户只要未注销就保持登录状态.我的方法是在用户登录/注册时创建JWT刷新令牌.该令牌永不过期,并会继续刷新20分钟的访问令牌.
I'm looking to employ token-based authentication for a mobile app that keeps the user logged in as long as they have not logged out. My approach is to create a JWT refresh token when the user logs in/signs up; This token never expires, and continues to refresh 20 minute access tokens.
当他们注销时会出现问题.我读过最好的方法是在Redis上将JWT列入黑名单,以存储撤销的密钥.但是,由于JWT永不过期,因此永远无法从Redis中删除该记录,并且会开始占用我很多内存.
The problem arises when they log out. I've read the best way to go about this is to blacklist the JWT on Redis to store revoked keys. However, since the JWT never expires, the record can never be removed from Redis and can start to chunk a lot of my memory.
我应该为此担心吗,还是Redis在这方面节省内存?有没有更好的方式来撤销JWT而没有到期?
Should I be worried about this, or is Redis memory-efficient on this respect? Is there a better way to revoke JWT with no expiration?
推荐答案
JWT令牌是自包含令牌.这意味着它会自行生存,直到过期,并且无法将其撤消.因此,根据定义,它必须过期.因为当它落入不正确的人手中时,它将提供对您资源的访问权限,而又无法撤消它.所以,是的,您应该为此实现而感到担忧.
A JWT token is a self contained token. That means that it lives on its own until it expires and can't be revoked. So by definition it must expire. Because when it falls into the wrong hands, it'll give access to your resources without being able to revoke it. So yes, you should be worried with this implementation.
这里的问题是您信任刷新令牌本身,因为它是JWT.实际上,您应该信任服务器.不是因为JWT不可信,而是因为刷新令牌不必是JWT.
The problem here is that you trust the refresh token itself, because it's a JWT. You should in fact trust the server. Not because the JWT can't be trusted, but because the refresh token doesn't have to be a JWT.
将刷新令牌(包括到期时间)保存在内存中.您可以从内存中删除过期的令牌.这意味着只能使用内存中存在的令牌来请求新的访问令牌.为了安全起见,请使用一次性刷新令牌.
Save refresh tokens in memory including the expiration time. You can remove expired tokens from memory. This means that only tokens that exist in memory can be used to request a new access token. And to be on the safe side, use one-time only refresh tokens.
流将是这样的:
- 用户登录,收到JWT访问令牌(5分钟)和刷新令牌1代码(48小时).刷新令牌1已保存在服务器上.
- 五分钟后:访问令牌到期
- 使用刷新令牌1请求新的访问令牌.
- 用户收到一个新的访问令牌(5分钟)和刷新令牌2代码(48小时).从内存中删除令牌1,并将令牌2添加到内存.
- 这会持续几个小时.
- 用户有两天没有使用该应用程序
- 50小时后:由于两个令牌都已过期,因此用户必须再次登录.重置流程.
注销后,从内存中删除刷新令牌.如果在此期间您想撤消访问权限.只需从内存中删除刷新令牌即可. 5分钟之内,用户必须再次登录.
On logout remove the refresh token from memory. And if in the meantime you wish to revoke access. Simply remove the refresh token from memory. Within 5 minutes the user has to login again.
这篇关于吊销JWT而没有到期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
