JWT:当用户打开新标签时如何处理 GET 请求? [英] JWT: how to handle GET requests when user opens a new tab?
问题描述
在以 API 为中心的应用程序上使用 JWT 优于 Cookie 有很多优势,我知道您可以在通过浏览器访问应用程序时将令牌存储在 sessionStorage 中.您可以在您的 JS 代码上设置一个拦截器,以便在 GET 请求的 Authorization 标头中注入 JWT 令牌——只要这些 GET 请求是从对用户进行身份验证的相同代码发出的.
There is a lot of advantages when using JWT over Cookies on API-centric apps and I understand that you can store the token on sessionStorage when accessing the app via a browser. You can set an interceptor on your JS code to inject the JWT token on Authorization header for GET requests -- as long as these GET requests are being made from the same code that authenticated the user.
但是当用户通过身份验证,然后打开一个新选项卡并尝试访问应用程序/网站的不同限制区域(甚至相同区域)时会发生什么?在这种情况下,没有拦截器可以在新选项卡上的 Authorization 标头上注入令牌.我想服务器会收到 GET 请求,在 Authorization 标头上查找 JWT 令牌并找不到它,拒绝请求.
But what happens when the user is authenticated, then opens a new tab and tries to access a different restricted area (or even the same area) of the app/site? In this case, there is no interceptor to inject the token on the Authorization header on the new tab. I suppose the server will receive the GET request, look for a JWT token on the Authorization header and will not find it, rejecting the request.
当您使用 Cookie 时,它们始终由浏览器本地发送,您不必担心新标签和身份验证.
When you are using Cookies, they are always sent by the browser natively and you don't have to worry about new tabs and authentication.
当用户在第一个选项卡中进行身份验证时,有没有办法在浏览器上为域全局设置授权标头?如果有的话,通常的解决方案是什么?
Is there a way to set up the Authorization header globally for the domain on the browser the moment the user authenticates in the first tab? What are the usual solutions for this matter, if any?
推荐答案
在没有正确凭据(如 JWT)的情况下访问受保护的 URL 时,浏览器将被重定向到特定的端点(例如在授权服务器上),它可以获取新的 JWT.
Upon accessing a protected URL without the right credentials (like a JWT) the browser would be redirected to a specific endpoint (e.g. on the Authorization Server) where it can get a new JWT.
这发生在例如 OpenID Connect Implicit 流中:http://openid.net/specs/openid-connect-implicit-1_0.html
This happens for example in the OpenID Connect Implicit flow: http://openid.net/specs/openid-connect-implicit-1_0.html
但也可以将 JWT 存储在 cookie 中.这不是呈现 JWT 的标准化方式,因此它特定于您的客户端/浏览器和受保护的应用程序.
But it would also be possible to store the JWT in a cookie. That's just not a standardized way of presenting JWTs so it would be specific to your client/browser and the protected application.
这篇关于JWT:当用户打开新标签时如何处理 GET 请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
