JWT 的最佳 HTTP 授权标头类型 [英] Best HTTP Authorization header type for JWT

问题描述

我想知道对于 JWT 令牌，最合适的 Authorization HTTP 标头类型是什么.

I'm wondering what is the best appropriate Authorization HTTP header type for JWT tokens.

可能最流行的类型之一是Basic.例如:

One of the probably most popular type is Basic. For instance:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

它处理两个参数，例如登录名和密码.所以它与 JWT 令牌无关.

It handle two parameters such as a login and a password. So it is not relevant for JWT tokens.

另外，我听说过Bearer类型，例如:

Also, I heard about Bearer type, for instance:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

但是，我不知道它的含义.跟熊有关系吗?

However, I don't know its meaning. Is it related to bears?

是否有在 HTTP Authorization 标头中使用 JWT 令牌的特定方法?我们应该使用Bearer，还是应该简化并直接使用:

Is there a particular way to use JWT tokens in the HTTP Authorization header? Should we use Bearer, or should we simplify and just use:

Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

谢谢.

或者，也许只是一个 JWT HTTP 标头:

Or maybe, just a JWT HTTP header:

JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

推荐答案

您的客户端发送访问令牌(JWT 或任何其他令牌)的最佳 HTTP 标头是 Authorization 标头与 Bearer 认证方案.

The best HTTP header for your client to send an access token (JWT or any other token) is the Authorization header with the Bearer authentication scheme.

此方案由 RFC6750 描述.

例子:

GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIXVCJ9TJV...r7E20RMHrHDcEfxjoYZgeFONFh7HgQ

如果您需要更强的安全保护，您还可以考虑以下 IETF 草案:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-pop-architecture.这个草案似乎是(被遗弃的?)https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-http-mac.

If you need stronger security protection, you may also consider the following IETF draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-pop-architecture. This draft seems to be a good alternative to the (abandoned?) https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-http-mac.

请注意，即使此 RFC 和上述规范与 OAuth2 框架协议相关，它们也可以用于需要在客户端和服务器之间进行令牌交换的任何其他上下文.

Note that even if this RFC and the above specifications are related to the OAuth2 Framework protocol, they can be used in any other contexts that require a token exchange between a client and a server.

与您在问题中提到的自定义 JWT 方案不同，Bearer 在 IANA 注册.

Unlike the custom JWT scheme you mention in your question, the Bearer one is registered at the IANA.

关于 Basic 和 Digest 身份验证方案，它们专用于使用用户名和密码进行身份验证(请参阅 RFC7616 和 RFC7617) 所以不适用于这种情况.

Concerning the Basic and Digest authentication schemes, they are dedicated to authentication using a username and a secret (see RFC7616 and RFC7617) so not applicable in that context.

这篇关于JWT 的最佳 HTTP 授权标头类型的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！