ASP.NET 身份承载令牌与 JWT 的优缺点 [英] ASP.NET Identity Bearer Token vs JWT Pros and Cons
问题描述
我使用 ASP.NET Identity 已经有一段时间了,并且一直在研究 JWT(JSON Web 令牌),因为它们看起来非常有趣且易于使用.
I have used ASP.NET Identity for a while now and have been looking at JWT (JSON Web Token) as they seem really interesting and easy to use.
JWT.IO 有一个很好的调试令牌的示例/工具.
JWT.IO has a great example/tool of debugging the token.
但是,我不完全确定 JWT 在后端是如何工作的,你还会使用 Identity 吗?
However, I'm not entirely sure how JWT's work on the back end, would you still use Identity?
令牌(Bearer vs JWT)如何比较?哪个更安全?
Also how do the tokens (Bearer vs JWT) compare? Which is more secure?
推荐答案
JWT 就像一个景点的门票.它包含服务器需要嵌入其中的所有安全信息.一旦服务器将其分发出去,客户端只需要在它要求某些东西时呈现它,如果它是有效的,服务器就会做出相应的响应.
JWTs are like a ticket to an attraction. It contains all the security information a server needs embedded in it. Once the server has handed it out the client just needs to present it whenever it asks for something and the server responds accordingly if it's valid.
内容是完全可见的,但它们是由服务器使用密钥签名的,因此它可以判断它们是否已被篡改.
The contents are entirely viewable, but they're signed using a secret key by the server so it can tell if they've been tampered with.
由于所有内容都在 JWT 中,并且客户端可以将其呈现给他们想要的任何人,因此您可以将其用于单点登录,只要不同的服务器共享相同的密钥,以便它们可以验证签名.
Since everything is in the JWT, and the client can present it to whomever they want, you can use it for Single Sign On as long as the different servers share the same secret so they can verify the signature.
与票一样,JWT 也有到期日.只要它没有过期,它就是有效的.这意味着您不能在此之前撤销它们.出于这个原因,JWT 的到期时间通常很短(30 分钟左右),并且还会向客户端发出一个刷新令牌,以便在 JWT 到期时快速更新它.
Like a ticket, a JWT has an expiry date. As long as it hasn't expired, it's valid. This means you can't revoke them before that. For this reason JWTs often have short expiry times (30 mins or so) and the client is also issued a refresh token in order to renew the JWT quickly when it expires.
JWT
- 未存储在服务器上
- 非常适合单点登录
- 不能提前撤销
不记名令牌就像一个客人名单.服务器将客户端放在来宾列表中,然后提供密码以在需要时识别它.当客户端提供代码时,服务器会在列表中查找它并检查它是否被允许执行它所要求的任何操作.
Bearer tokens are like a guest list. The server puts the client on the guest list, then provides a pass code to identify it when it wants something. When the client provides the code, the server looks it up on the list and checks that it's allowed to do whatever it's asking.
服务器必须拥有可用的列表,因此如果您想跨服务器共享访问权限,它们要么都需要能够访问列表(数据库),要么与拥有它的某些权限(身份验证服务器)交谈.
The server has to have the list available to it so if you want to share access across servers, they either all need to be able to access the list (database), or talk to some authority that has it (auth server).
另一方面,由于他们有客人名单,他们可以随时将您从名单中删除.
On the other hand, since they have the guest list, they can take you off it whenever they want.
不记名令牌
- 存储在服务器上
- 可以随时撤销
- 需要中央机构或共享数据库在服务器之间共享令牌
如果您想走这条路,Bit of Tech 有一些关于使用 Web Api 实现 JWT 的优秀教程.
Bit of Tech has some excellent tutorials on implementing JWTs with Web Api if you want to go down that route.
这篇关于ASP.NET 身份承载令牌与 JWT 的优缺点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
