使用不透明的访问令牌会使我的服务器有状态吗? [英] Does Using Opaque Access Tokens Make My Server Stateful?
问题描述
我试图在身份验证的上下文中了解 RESTful API 中的无状态性.这是场景:
I am trying to understand statelessness in restful APIs in the context of authentication. Here's the scenario:
- 用户登录.
- 服务器验证用户名和密码,并生成一个不透明的访问令牌.它缓存了一些与此令牌相关的信息——例如,过期时间、userId、此令牌是否在过期前显式失效等.
- 令牌被发送给客户端,客户端在以后的每个请求中发送它.
列表项
菲尔丁的论文将无国籍定义为:
Fielding's dissertation defines statelessness as:
...这样从客户端到服务器的每个请求都必须包含理解请求所需的所有信息,并且不能利用服务器上存储的任何上下文.因此会话状态完全保存在客户端上."
"...such that each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client."
在我的示例中,客户端在每个请求中都发送令牌,因此满足第一个条件.但是,我的服务器有一个与此会话关联的上下文,该上下文存储在会话缓存中.
In my example, the client is sending the token with every request, so the first condition is satisfied. However, my server has a context associated with this session that is stored in the sessions cache.
这会使我的应用程序有状态吗?
Does this make my application stateful?
如果是,那么只有使用 JWT 才能实现真正的无状态吗?我在思考这个问题,因为 JWT 还很新,那么架构师在它们被发明之前是如何构建真正的无状态服务的呢?
If yes, then is it that true statelessness be achieved only if we are using JWTs? I am pondering upon this as JWTs are quite new, so how were architects building truly stateless services before they were invented?
推荐答案
没错.如果您维护会话,您将保持服务器中的状态,这使得应用程序难以扩展.真正的无状态应用程序可以横向扩展,任何服务器都应该能够处理请求.
That's right. If you you maintaining the session you are keeping the state in server which makes the application hard to scale. True stateless applications can be scaled out and any server should be able to handle the request.
JWT 是避免会话的流行方式,所有内容都封装在令牌中,任何服务器都可以对请求进行身份验证/授权并帮助我们实现无状态应用程序,它们有自己的挑战,但是 OpenID 连接是身份验证/授权的新方式.
JWT is popular way to avoid sessions and everything is encapsulated inside the token for any server to auth/Authorize the request and help us achieve stateless application, they come with their own challenges however OpenID connect is the new way for Auth/Authorization.
在使用 jwt 使应用程序无状态之前,我们将会话保存在数据库(或共享缓存)中,任何服务器想要检查会话都必须联系数据库.
Before jwt to make application stateless we used to keep session in DB (or Shared Cache) , and any server would like to check the session would have to contact DB.
希望有帮助!
这篇关于使用不透明的访问令牌会使我的服务器有状态吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
