令牌无状态和存储 [英] Tokens statelessness and storage
问题描述
我已经阅读了很多关于不在用户代理存储中保存令牌的内容,我同意所提到的风险.但是通过一些 Auth0 快速入门示例,我看到令牌保存在会话中并使用会话 cookie 来跟踪它们.
I have been reading a lot about not saving the tokens in the user agent storage and I agree with the risks mentioned. But going through some of the Auth0 quickstart examples, I see the tokens being saved in the session and using session cookies to track them.
其他人提到将实际令牌保存为 httpOnly cookie,从而降低风险.
Others mention saving the actual token as an httpOnly cookie with lower risks involved.
我的问题是:
- 这如何被视为无国籍?特别是在可扩展性和负载平衡器的潜在用途方面.
- 内存缓存和数据库存储是替代方案吗?它与会话有什么不同吗?
- 对于 SPA,如何保持记住我的功能?
推荐答案
Asi Kavindu 写道,localStorage 是个好地方.如果您想保护应用程序免受 XSS 攻击,请使用 内容安全策略,因此浏览器仅执行您的 JavaScript 代码.最近有一个关于 OAuth 最佳实践的 RFC2.0 和基于浏览器的应用程序,以便您检查.
Asi Kavindu wrote, localStorage is a good place. If you want to protect the application against XSS attacks, use Content Security Policy, so a browser executes only your JavaScript code. There is a recent RFC about best practices for OAuth 2.0 and Browser-Based Apps, so you can check it.
如果您想在具有多个后端节点(集群)的后端保持状态(会话),您可以使用一些共享数据存储,例如数据库或 Hazelcast.该架构的状态与具有内存会话的单个后端节点相同.
If you want to keep state (session) on your backend with multiple backend nodes (cluster), you can use some shared data storage such as database or Hazelcast. The architecture is stateful in the same way as a single backend node with an in-memory session.
如果您在后端有一个会话和一个 cookie,则您不再需要访问令牌,因为您的 SPA 只调用您的后端,而该令牌的用途与来自 cookie 的会话 ID 相同.
If you have a session on your backend and a cookie, you don't need an access token anymore, since yor SPA calls just your backend and the token would serve the same purpose as the session ID from the cookie.
可以在您的身份验证提供商(从安全角度来看可能是更好的选择)或您自己的应用程序中使用 cookie 来实现记住我的功能.
The remember me functionality can be implemented using a cookie either at your authentication provider (probably better choice from the security standpoint) or your own application.
架构选择通常是在简单性和可扩展性之间进行权衡.如果您刚开始开发应用程序并且不确定该选择什么,我会选择简单,因为即使您以后想更改它,也应该更容易重构.
Architecture choices are usually trade-offs between simplicity and scalability. If you are just starting developing the application and not sure what to choose, I would go for simplicity, because even if you want to change it later, it should be easier to refactor.
这篇关于令牌无状态和存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
