AngularJS 或 SPA 与 JWT - 到期和刷新 [英] AngularJS or SPA with JWT - expiry and refresh

问题描述

我了解 JWT 和单页应用在登录和 JWT 发行方面的流程.但是，如果 JWT 已过期，并且服务器没有针对每个请求发布新的 JWT，那么更新的最佳方式是什么?有一个刷新令牌的概念，但是在网络浏览器中存储这样的东西听起来像是一张金票.

I understand the flow of JWT and a single page application in terms of login and JWT issuance. However, if the JWT has a baked in expiry, AND the server isn't issuing a new JWT on each request, what is the best way for renewing? There is a concept of refresh tokens, but storing such a thing in a web browser sounds like a golden ticket.

IE 我可以轻松进入浏览器本地存储并窃取刷新令牌.然后我可以去另一台电脑给自己发一个新的令牌.我觉得在 JWT 中引用的数据库中需要有一个服务器会话.因此，服务器可以通过刷新令牌查看会话 ID 是否仍处于活动状态或失效.

IE I could easily go into a browsers local storage and steal a refresh token. Then I could go to another computer and issue myself a new token. I feel like there would need to be a server session in a db that's referenced in the JWT. Therefore the server could see if the session ID is still active or invalidated by a refresh token.

在 SPA 中实施 JWT 并在用户处于活动状态时处理新令牌发行的安全方法是什么?

What are the secure ways to implement JWT in a SPA and handling new token issuance whilst the user is active?

推荐答案

如果您的服务器中没有其他需要检查 1 的限制，则每 15 分钟更新一次令牌(如果它可以存活 30 分钟)有效小时不活动以注销用户.如果您只想要这个短暂的 JWT 并继续更新它，它会起作用.

Renewing the token every 15 minutes (if it lives for 30) works if you don't have another restriction in your server in which you need to check for 1 hour inactivity to log the user out. If you just want this short lived JWT and keep on updating it, it'd work.

我认为使用 JWT 的一大优势是实际上不需要服务器会话，因此不使用 JTI.这样一来，您根本不需要同步，因此我建议您采用这种方法.

I think one of the big advantages of using JWT is to actually NOT need a server session and therefore not use the JTI. That way, you don't need syncing at all so that'd be the approach I'd recommend you following.

如果您想在用户处于非活动状态时强制注销该用户，只需将 JWT 设置为一小时后过期即可.有一个 $interval 每隔约 50 分钟它会根据旧的 JWT 自动获取一个新的 JWT，如果在过去 50 分钟内至少完成了一个操作(您可以有一个请求拦截器，它只计算请求以检查他是否处于活动状态)就是这样.

If you want to forcibly logout the user if he's inactive, just set a JWT with an expiration in one hour. Have a $interval which every ~50 minutes it automatically gets a new JWT based on the old one IF there was at least one operation done in the last 50 minutes (You could have a request interceptor that just counts requests to check if he's active) and that's it.

这样您就不必将 JTI 保存在 DB 中，也不必进行服务器会话，这并不比另一种方法差多少.

That way you don't have to save JTI in DB, you don't have to have a server session and it's not a much worse approach than the other one.

你怎么看?

这篇关于AngularJS 或 SPA 与 JWT - 到期和刷新的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！