JWT(JSON Web Token)自动延长到期时间 [英] JWT (JSON Web Token) automatic prolongation of expiration

问题描述

我想对我们的新 REST API 实施基于 JWT 的身份验证.但是既然token里设置了过期时间，那么是否可以自动延长呢?如果用户在那段时间内积极使用该应用程序，我不希望用户需要在每 X 分钟后登录.那将是一个巨大的用户体验失败.

I would like to implement JWT-based authentication to our new REST API. But since the expiration is set in the token, is it possible to automatically prolong it? I don't want users to need to sign in after every X minutes if they were actively using the application in that period. That would be a huge UX fail.

但是延长到期时间会创建一个新令牌(旧令牌在到期之前仍然有效).每次请求后生成一个新令牌对我来说听起来很傻.当多个令牌同时有效时，这听起来像是一个安全问题.当然，我可以使用黑名单使旧的使用无效，但我需要存储令牌.而 JWT 的好处之一就是没有存储.

But prolonging the expiration creates a new token (and the old one is still valid until it expires). And generating a new token after each request sounds silly to me. Sounds like a security issue when more than one token is valid at the same time. Of course I could invalidate the old used one using a blacklist but I would need to store the tokens. And one of the benefits of JWT is no storage.

我发现了 Auth0 是如何解决它的.他们不仅使用 JWT 令牌，还使用刷新令牌:https://auth0.com/docs/tokens/refresh-tokens

I found how Auth0 solved it. They use not only JWT token but also a refresh token: https://auth0.com/docs/tokens/refresh-tokens

但同样，要实现这一点(没有 Auth0)，我需要存储刷新令牌并保持它们的到期时间.那么真正的好处是什么呢?为什么不只有一个令牌(不是 JWT)并将过期时间保留在服务器上?

But again, to implement this (without Auth0) I'd need to store refresh tokens and maintain their expiration. What is the real benefit then? Why not have only one token (not JWT) and keep the expiration on the server?

还有其他选择吗?使用 JWT 不适合这种情况吗?

Are there other options? Is using JWT not suited for this scenario?

推荐答案

我在 Auth0 工作，参与了刷新令牌功能的设计.

I work at Auth0 and I was involved in the design of the refresh token feature.

这完全取决于应用程序的类型，这是我们推荐的方法.

It all depends on the type of application and here is our recommended approach.

一个好的模式是在令牌过期之前刷新它.

A good pattern is to refresh the token before it expires.

将令牌过期时间设置为一周，并在用户每次打开 Web 应用程序时和每隔一小时刷新一次令牌.如果用户超过一周没有打开应用程序，他们将不得不再次登录，这是可接受的网络应用程序用户体验.

Set the token expiration to one week and refresh the token every time the user opens the web application and every one hour. If a user doesn't open the application for more than a week, they will have to login again and this is acceptable web application UX.

要刷新令牌，您的 API 需要一个新端点，该端点接收有效的、未过期的 JWT，并返回具有新过期字段的相同签名 JWT.然后 Web 应用程序会将令牌存储在某处.

To refresh the token, your API needs a new endpoint that receives a valid, not expired JWT and returns the same signed JWT with the new expiration field. Then the web application will store the token somewhere.

大多数本机应用程序只登录一次.

Most native applications do login once and only once.

这个想法是刷新令牌永不过期，并且可以始终将其交换为有效的 JWT.

The idea is that the refresh token never expires and it can be exchanged always for a valid JWT.

永不过期的令牌的问题在于从不意味着从不.手机丢了怎么办?因此，它需要以某种方式被用户识别，并且应用程序需要提供一种撤销访问的方法.我们决定使用设备的名称，例如玛丽奥的 iPad".然后用户可以转到应用程序并撤销对maryo's iPad"的访问.

The problem with a token that never expires is that never means never. What do you do if you lose your phone? So, it needs to be identifiable by the user somehow and the application needs to provide a way to revoke access. We decided to use the device's name, e.g. "maryo's iPad". Then the user can go to the application and revoke access to "maryo's iPad".

另一种方法是撤销特定事件的刷新令牌.一个有趣的事件是更改密码.

Another approach is to revoke the refresh token on specific events. An interesting event is changing the password.

我们认为 JWT 对这些用例没有用处，因此我们使用随机生成的字符串并将其存储在我们身边.

We believe that JWT is not useful for these use cases, so we use a random generated string and we store it on our side.

这篇关于JWT(JSON Web Token)自动延长到期时间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！