JWT 认证概念 [英] JWT authentication concept
问题描述
我目前正在使用基于 JSON Web 令牌的身份验证在 Angular JS 应用程序和 Node.js 服务器(作为 API)之间进行交互.
I am currently working on an interaction between Angular JS app and Node.js Server (as API) with an authentication based on JSON Web Token.
但是我有一个我自己无法回答的问题:当您对 JWT 服务器端将用户作为有效负载进行编码时,您如何继续在客户端检索用户信息?这是一个小例子来理解我的问题:
But I have a question I can't answer by myself : when you encode the JWT server-side putting a user as payload, how do you proceed to retrieve the user information client-side ? Here is a small example to understand my question:
我是基本用户,我将凭据发送到 API 进行身份验证.作为交换,我收到了一个 JWT 令牌,但我没有关于用户的任何信息,因为只有服务器拥有能够解码 JWT 令牌的密钥.那么服务器是否需要向我发送例如用户的 id 以便我可以调用我的 api 用户/id 来检索有关经过身份验证的用户的信息?
I am a basic user, I send my credentials to the API for authenticating. In exchange, I receive a JWT token but I don't have any information about the user since only the server has the secret key that is able to decode the JWT token. So does the server need to send me for example the id of the user so that I could call my api user/id for retrieving information about the user authenticated?
推荐答案
您通过解码每个请求的令牌来检索用户信息.因此,在您的示例中,将令牌返回给客户端后,客户端向服务器发出请求,以使用存储在编码令牌中的数据获取用户的名字和姓氏,该数据与请求一起发送回服务器.发出此 GET 请求时,您可以将令牌作为参数发送.我将使用一个非 cookie 存储的示例.以下是它的下降方式:
You retrieve the user's info by decoding the token on each request. So in your example after the token is returned to the client, the client makes a request to the server to grab the user's first and last name using the data stored in the encoded token which is sent along with the request back to the server. When making this GET request, you can send the token as a parameter. I'll use a non-cookie stored example. Here's how it goes down:
- 用户使用他们的密码和用户名登录
- 服务器编码一个 json Web 令牌负载,其中包含使用 secret_key 登录的用户的唯一标识符(即 user_id).示例函数调用可能如下所示.
有效负载 = {user_id: 35}user_token = JWT.encode(payload, "your_secret_key");
payload = {user_id: 35} user_token = JWT.encode(payload, "your_secret_key");
将 user_token 返回给客户端,并将所述令牌存储在隐藏的 html 标记或 localStorage 变量中.使用 Angular,我会将其存储在 localStorage 中.
Return the user_token to the client and store said token in a hidden html tag or in a localStorage variable. Using Angular, I'd store it in localStorage.
现在用户已登录且令牌位于客户端,您可以提交包含 user_token 作为参数的 GET 请求.请记住,此 user_token 有效负载包含 user_id.
Now that the user is signed_in and the token is client-side, you can submit a GET request that contains the user_token as a parameter. Remember, this user_token payload contains the user_id.
服务器获取参数,解码user_token,从payload中获取user_id.
The server gets the parameter and decodes the user_token to get the user_id from the payload.
您使用 user_id 查询数据库并将数据(名字和姓氏)以纯 json 格式返回.
You query the database with the user_id and return the data (first and last name) as plain json, NOT ENCODED.
请务必记住,在您的示例中唯一要编码的是唯一标识符 (user_id).在每个请求中,您都会解码本身就是身份验证机制的令牌.
It's important to remember the only thing to encode in your example is the unique identifier (user_id). On each request you decode the token which itself is the authentication mechanism.
这篇关于JWT 认证概念的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
