智威汤逊（JSON网络令牌）到期自动延长 [英] JWT (JSON Web Token) automatic prolongation of expiration

问题描述

我想实现基于智威汤逊的身份验证我们新的REST API。但由于到期的令牌设置，是可以自动延长呢？我不希望用户需要的，如果他们积极利用这一时期申请每隔X分钟后登录。这将是一个巨大的失败UX。

I would like to implement JWT-based authentication to our new REST API. But since the expiration is set in the token, is it possible to automatically prolong it? I don't want users to need to sign in after every X minutes if they were actively using the application in that period. That would be a huge UX fail.

但延长期满创建一个新的令牌（并直到它过期旧的仍然有效）。并且每个请求后，产生新的凭证听起来很傻给我。听起来像一个安全问题，当一个以上的标记是在同一时间有效。当然，我可以使用无效黑名单老用一个，但我需要保存标记。和智威汤逊的好处之一是没有存储空间。

But prolonging the expiration creates a new token (and the old one is still valid until it expires). And generating a new token after each request sounds silly to me. Sounds like a security issue when more than one token is valid at the same time. Of course I could invalidate the old used one using a blacklist but I would need to store the tokens. And one of the benefits of JWT is no storage.

我发现Auth0如何解决它。他们不仅使用JWT令牌也刷新令牌：
https://docs.auth0.com/refresh-token

I found how Auth0 solved it. They use not only JWT token but also a refresh token: https://docs.auth0.com/refresh-token

但同样，实现这个（没有Auth0）我需要存储刷新令牌和维护他们的到期。什么是真正的好处呢？为什么不能只有一个令牌（不JWT），并保持满服务器上？

But again, to implement this (without Auth0) I'd need to store refresh tokens and maintain their expiration. What is the real benefit then? Why not have only one token (not JWT) and keep the expiration on the server?

还有其他的选择吗？正在使用JWT不适合这种情况？

Are there other options? Is using JWT not suited for this scenario?

推荐答案

我在Auth0工作，我参与了刷新令牌功能的设计。

I work at Auth0 and I was involved in the design of the refresh token feature.

这一切都取决于应用程序的类型，这里是我们推荐的方法。

It all depends on the type of application and here is our recommended approach.

一个很好的模式是在过期前刷新令牌。

A good pattern is to refresh the token before it expires.

设置令牌过期一周，并在每次用户打开Web应用程序，并每隔一小时一次刷新令牌。如果用户没有打开一个多星期的应用，他们将不得不再次登录，这是可以接受的Web应用程序UX。

Set the token expiration to one week and refresh the token every time the user open the web application and every one hour. If a user doesn't open the application for more than a week, they will have to login again and this is acceptable web application UX.

要刷新API需要接收一个有效的，未过期智威汤逊和新的到期场返回相同的智威汤逊签署了新的端点令牌。那么Web应用程序将保存的地方令牌。

To refresh the token your api needs a new endpoint that receives a valid, not expired JWT and returns the same signed JWT with the new expiration field. Then the web application will store the token somewhere.

大多数本地应用程序并登录一次，并且只有一次。

Most native applications does login once and only once.

的想法是，刷新令牌永不过期并且它可以随时为一个有效JWT进行交换。

The idea is that the refresh token never expires and it can be exchanged always for a valid JWT.

与永不过期令牌的问题是，绝不会意味着永远。什么，如果你失去了你的电话，你怎么办？因此，它需要由用户是identificable某种方式和应用程序需要提供一种方式来撤销访问。我们决定使用该设备的名称，例如maryo的iPad。然后用户可以去申请并撤销获得maryo的iPad。

The problem with a token that never expired is that never means never. What do you do if you lose your phone? So, it needs to be identificable by the user somehow and the application needs to provide a way to revoke access. We decided to use the device's name, e.g. "maryo's iPad". Then the user can go to the application and revoke access to "maryo's iPad".

另一种方法是撤消特定事件刷新令牌。一个有趣的事件更改密码。

Another approach is to revoke the refresh token on specific events. An interesting event is changing the password.

我们认为，智威汤逊是不是这些用例，所以我们使用一个随机生成的字符串有用的，我们把它存储在我们身边。

We believe that JWT is not useful for these use cases so we use a random generated string and we store it on our side.

这篇关于智威汤逊（JSON网络令牌）到期自动延长的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！