将 JWT 存储在数据库中是否有意义? [英] Does it make sense to store JWT in a database?

问题描述

我已经使用 Spring Boot、Spring Security、OAUTH2 和 JWT 作为身份验证令牌实现了一个基本身份验证系统.它工作正常，但我在想是否有意义将 JWT 存储在数据库中并在每次有人使用它发出经过身份验证的请求时检查是否存在令牌?我特别考虑了以下场景:用户在移动设备中进行了身份验证，并且他们丢失了它，因此他们想要取消对该设备的授权.然后，他们将能够发出一个操作，清除颁发给他们的用户 ID 的令牌并取消对分配给他的所有令牌的授权.还有什么办法吗?我认为这是错误的还是过于复杂的事情?

I've implemented a basic authentication system with Spring Boot, Spring Security, OAUTH2 and JWT as auth tokens. It works alright but I was thinking if it makes sense to store JWT in a database and check if a token exists every time someone makes an authenticated request using it? I was thinking specifically of the following scenario: user is authenticated in a mobile device and they lose it so they want to deauthorize that device. They would then be able to issue an operation that clears the tokens issued to their user id and deauthorize all tokens assigned to him. Any other way? Am I thinking this wrong or overcomplicating things?

这是为了保护将从移动应用程序调用的 REST API.

This is for securing a REST API that is going to get called from a mobile APP.

推荐答案

您可以将 JWT 存储在数据库中，但您会失去 JWT 的一些好处.JWT 的优势在于无需每次都检查数据库中的令牌，因为您只需使用加密技术来验证令牌是否合法.如果您必须在数据库中查找令牌，您不妨只使用不携带信息的不透明令牌，让服务器和数据库为您提供信息.另一方面，如果您要将令牌存储在数据库中，我认为 JWT 对于您的令牌类型来说并不是一个糟糕的选择.正如您所说，如果您将令牌存储在数据库中，那么撤销有好处.这完全取决于您想要实现的目标(更快的授权等与按需撤销的能力).

You could store the JWT in the db but you lose some of the benefits of a JWT. The JWT gives you the advantage of not needing to check the token in a db every time since you can just use cryptography to verify that the token is legitimate. If you have to look up the token in the db, you might as well just use an opaque token that doesn't carry information with it and let the server and database provide you with the information. On the other hand, if you're going to store a token in the db, I don't think a JWT is a bad choice for your token type. As you say, there are advantages for revocation if you store your token in the db. It all depends on what you want to achieve (faster authorization, etc. vs ability to revoke on demand).

如果需要，您仍然可以将 JWT 与 OAuth2 一起使用，而无需将令牌存储在数据库中.JWT 有一个可配置的到期时间，您可以设置 - 之后它们就无效了.访问令牌(无论是否 JWT)通常应该是短暂的以确保安全.如果担心某人的手机被盗并获得访问令牌，我认为解决方案是让这些令牌快速过期(30 分钟?).如果您使用的是 oauth2，阻止某人继续使用该应用的方法是让真正的所有者在授权服务器上取消对移动应用客户端的授权，这样就不会再提供访问令牌.

You can still use JWT with OAuth2 without storing tokens in the db if you want. JWTs have a configurable expiry time that you can set--after which they are invalid. Access Tokens (whether JWT or not) should usually be short-lived for security. If the concern is someone's phone being stolen and access tokens being obtained, I think the solution is to have those tokens expire quickly (30 mins?). If you're using oauth2, the means of stopping someone from continuing to use the app is for the real owner to de-authorize the mobile app client on the authorization server so that no more access tokens will be given out.

这篇关于将 JWT 存储在数据库中是否有意义?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！