JWT 和一次性令牌? [英] JWT and one-time tokens?
问题描述
我正在滚动我自己的 JWT 令牌身份验证,但是,我真的希望它是一次性令牌 - 所以一旦使用它,服务器就会生成一个新令牌,客户端将不得不使用在下一次请求/调用期间使用该令牌.
I'm in the process of rolling my own JWT token auth, however, I would really like it to be a one time-token – so once it's used, the server generates a new token and the client will have to use that token during the next request/call.
然而,据我所知,JWT 应该是无状态的"——但是使用一次性令牌的方法,我想我需要以某种方式存储有效令牌,因为令牌将被刷新一次它被使用了.或者有什么办法可以避免在服务器上存储一个值,并且仍然能够创建一次性令牌?
However, it has come to my understanding that JWT is supposed to be 'stateless' – but with the approach of a one time token, I guess I would need to somehow store the valid tokens, since the token will be refreshed once it's used. Or is there any way to avoid storing a value on the server, and still be able to create one-time tokens?
为什么我不想存储任何值的两个主要原因首先是可扩展性(当然,我可以在中间设置缓存服务器来存储值,但如果不需要,那就太好了),其次,根据我的理解,JWT 应该是无状态的,如果我需要在服务器上存储一个值才能验证令牌,就不会如此.
The two main reasons for why I don't want to store any value is first of all scalability (sure, I could have cache-server inbetween to store the values, but it would be nice if that wasn't required), secondly, JWT is supposed to be stateless from my understanding, which it wouldn't be if I need to store a value on the server to be able to validate the token.
有什么想法吗?
推荐答案
使用用户当前密码的哈希值对 JWT 令牌进行签名,这样所有在成功更改密码之前生成的令牌将在下次失效.我从这里得到了想法 https://www.jbspeakr.cc/howto-single-使用-jwt/.
Use the user's current password's hash for signing the JWT token, in this way all tokens generated before a successful password change would get invalidated the next time. I got the idea from here https://www.jbspeakr.cc/howto-single-use-jwt/.
这篇关于JWT 和一次性令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
