在 JWT 中设置角色是最佳实践吗? [英] Is setting Roles in JWT a best practice?

问题描述

我正在考虑使用 JWT.在 jwt.io 示例 中，我在负载数据中看到以下信息:

I am considering to use JWT. In the jwt.io example I am seeing the following information in the payload data:

"admin": true

管理员可以被视为一个角色，因此我的问题.在令牌有效负载中设置角色是一种习惯/良好做法吗?鉴于角色可以动态修改，我很疑惑.

Admin can be considered as a Role, hence my question. Is setting the role in the token payload a habitual/good practice? Given that roles can be dynamically modified, I'm quite interrogative.

推荐答案

如果它们对您的客户有用，则没有什么可以阻止您创建声明以在您的令牌中存储额外信息.

Nothing stops you from creating claims to store extra information in your token if they can be useful for your client.

然而，我只会依赖 JWT 进行身份验证(调用者是谁).如果您需要执行授权(调用者可以执行的操作)，请从持久存储中查找调用者角色/权限以获得最新的值.

However I would rely on JWT only for authentication (who the caller is). If you need to perform authorization (what the caller can do), look up the caller roles/permissions from your persistent storage to get the most updated value.

对于短期令牌(例如，在微服务集群中传播身份验证和授权时)，我发现在令牌中包含角色很有用.

For short-lived tokens (for example, when propagating authentication and authorization in a microservices cluster), I find it useful to have the roles in the token.

这篇关于在 JWT 中设置角色是最佳实践吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！