BearerOption.SaveToken属性有什么作用? [英] What is BearerOption.SaveToken property used for?
本文介绍了BearerOption.SaveToken属性有什么作用?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在aspnet核心2的JwtAuthentication配置中使用了哪些bearerOption.SaveToken属性?
What bearerOption.SaveToken property used for in the configuration of JwtAuthentication in aspnet core 2 ?
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(bearer =>
{
bearer.TokenValidationParameters.IssuerSigningKey = signingKey as SecurityKey;
bearer.TokenValidationParameters.ValidIssuer = Configuration["Jwt:Issuer"];
bearer.TokenValidationParameters.ValidAudience = Configuration["Jwt:Audience"];
bearer.TokenValidationParameters.ClockSkew = TimeSpan.Zero;
bearer.TokenValidationParameters.ValidateLifetime = true;
bearer.TokenValidationParameters.ValidateAudience = true;
bearer.TokenValidationParameters.ValidateIssuer = true;
bearer.TokenValidationParameters.ValidateIssuerSigningKey = true;
bearer.TokenValidationParameters.RequireExpirationTime = true;
bearer.TokenValidationParameters.RequireSignedTokens = true;
// ******
bearer.SaveToken = true;
// ******
});
推荐答案
bearer.SaveToken用于指示服务器是否必须保存令牌服务器端才能对其进行验证.因此,即使用户具有正确签名和加密的令牌,如果它不是由服务器生成的,也不会通过令牌验证.这是一项安全性增强措施,因此即使签名密钥遭到破坏,您的应用程序也不会受到破坏.
bearer.SaveToken is used to indicate whether the server must save the token server side to validate them. So even when a user has a properly signed and encrypted token, it'll not pass token validation if it is not generated by the server. This is a security reinforcement so even when the signing key is compromised, your application is not.
缺点:
- 如果您的应用程序重新启动,则回收的令牌将不再有效.
- 如果您有分布式应用程序,则此方法对您不起作用.
这篇关于BearerOption.SaveToken属性有什么作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
