何时为 JWT 使用 RS256? [英] When to use RS256 for JWT?
问题描述
所以,现在我正在构建一个供第三方使用的 API,并且我正在阅读有关 RS256 和 HS256 的信息.我的理解是,在第一个中,您使用公钥进行验证,使用私钥进行签名,而另一个只使用一个密钥.因此,如果您使用 RS256,如果您想保留您的密钥安全并希望客户端验证令牌,但我不明白您为什么要在客户端验证令牌?因为您向服务器发出了一个 post 请求,所以它会向您发送一个令牌,并且每当您想要发出授权请求时,您只需使用该令牌,服务器就会对其进行验证,如果没问题就让您继续.那么,为什么要在客户端验证令牌?我认为这是后端的职责.
So, right now I'm building an API for third parties uses and I was reading about RS256 and HS256. What I understood was that diff between is that in the first one you use a public key to verify and a private key to sign, and the other one, use just one key.. So if you use RS256 if because you want to keep your secret key secure and want the client to verify the token, but what I don't understand why you would like to verify the token in the client? Because you do a post request to the server, then it sends you back a token and whenever you want to make an authorized request you just use that token and the server verifies it and let you continue if its ok. So, why you would like to verify the token in the client? I thought it was a backend's duty.
我想我可能有什么问题,希望你能帮助解决这个问题.谢谢.
I think maybe I'm wrong in something, hope you help clear this. Thanks.
所以,我的问题是,我知道 RS256 和 HS256 之间的区别,但我不明白它是如何使用它的流程.现在我正在开发一个第三方 api,我只需要在客户端请求它时返回一个令牌,然后在需要它的请求中,只需从服务器验证它是否是一个有效的令牌.据我了解,当您想从客户端验证令牌时使用 RS256,如果正确,有人可以给我一个示例,说明您何时或为什么要在客户端验证令牌?
So, my question is, I know the differences between RS256 and HS256 but what I don't understand it's the flow of how is use it. Right now I'm developing a third party api, and I just need to return a token when the client ask for it and then in the request that needs it, just verify from the server if it's a valid token. From what I understand, RS256 it's used when you want to verify your token from the client, if that's right, someone can give me an example of when or why would you want to verify the token in the client?
推荐答案
在以下情况下使用 RS256:
Use RS256 when:
令牌由第三方签名,通常是身份提供者(例如 oauth2/oidc),您需要验证令牌是由受信任的实体颁发的
tokens are signed by a third party, usually an Identity Provider(e.g. oauth2/oidc), and you need to verify that the token has been issued by a trusted entity
令牌由客户端签名,通常用于访问 API,客户端之前已在其中注册了公钥
tokens are signed by clients, usually to get access to an API, where clients have previously registered the public key
令牌由 SingleSignOn 系统中的集中式身份验证服务器签名,它们用于访问多个联合服务器
tokens are signed by a centralized authentication server in a SingleSignOn system and they are used to get access to several federated servers
令牌用于在两方之间传输数据,不一定用于身份验证,并且签名用于确保签名者的身份
tokens are used to transfer data between two parties, not neccesarily for authentication purposes, and the signature is used to ensure the identity of the signatory
在以下情况下使用 HS256:
Use HS256 when:
- 令牌由同一台服务器签名和验证
这篇关于何时为 JWT 使用 RS256?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
