如何在 JWT 中使用 jti 声明 [英] How to use jti claim in a JWT
问题描述
JWT 规范提到了一个据称据称是 jti 的声明可以用作随机数来防止重放攻击:
The JWT spec mentions a jti claim which allegedly can be used as a nonce to prevent replay attacks:
jti"(JWT ID) 声明为 JWT 提供唯一标识符.标识符值的分配方式必须确保相同的值被意外分配给不同的数据对象的可能性可以忽略不计;如果应用程序使用多个发行者,则必须防止不同发行者产生的值之间的冲突.jti"声明可用于防止 JWT 被重放.jti"value 是区分大小写的字符串.使用此声明是可选的.
The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string. Use of this claim is OPTIONAL.
我的问题是,我将如何实现这一点?我是否需要存储以前使用的 jtis 并为每个请求发出一个新的 JWT?如果是这样,这不是违背了 JWT 的目的吗?为什么要使用 JWT 而不是仅将随机生成的会话 ID 存储在数据库中?
My question is, how would I go about implementing this? Do I need to store the previously used jtis and issue a new JWT with every request? If so, doesn't this defeat the purpose of JWTs? Why use a JWT instead of just storing a randomly-generated session ID in a database?
我的 REST API 有一个 Mongo 数据库,我不反对添加一个 Redis 实例.有比 JWT 更好的身份验证选项吗?我主要只是不想将密码存储在客户端上,这会消除 HTTP 身份验证作为选项,但是,随着我对 JWT 的深入了解,我开始觉得好像自定义令牌实现或不同的标准可能更适合我的需要.是否有任何 node/express 包用于基于令牌的身份验证,支持令牌撤销和轮换令牌?
My REST API has a Mongo database and I'm not opposed to adding a Redis instance. Is there a better authentication option than JWT? I mainly just don't want to store passwords on the client which eliminates HTTP authentication as an option, however, as I'm getting deeper into this JWT stuff, I'm starting to feel as if a custom token implementation or different standard might better suit my needs. Are there any node/express packages for token based authentication that supports token revocation and rotating tokens?
不胜感激.
推荐答案
确实,存储所有已发布的 JWT ID 会破坏使用 JWT 的无状态特性.但是,JWT ID 的目的是能够撤销之前发布的 JWT.这可以通过黑名单而不是白名单最容易地实现.如果您已包含exp"声明(您应该),那么您最终可以清理列入黑名单的 JWT,因为它们会自然过期.当然,您可以同时实现其他撤销选项(例如,基于iat"和aud"的组合撤销一个客户端的所有令牌).
Indeed, storing all issued JWT IDs undermines the stateless nature of using JWTs. However, the purpose of JWT IDs is to be able to revoke previously-issued JWTs. This can most easily be achieved by blacklisting instead of whitelisting. If you've included the "exp" claim (you should), then you can eventually clean up blacklisted JWTs as they expire naturally. Of course you can implement other revocation options alongside (e.g. revoke all tokens of one client based on a combination of "iat" and "aud").
这篇关于如何在 JWT 中使用 jti 声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
