基于令牌的身份验证和可扩展性?错觉? [英] Token based authentication and scalability? An illusion?
问题描述
我刚刚阅读了 令牌的来龙去脉-基于身份验证.它声称可伸缩性是 server based Authentication 的主要问题,因为服务器必须在本地存储会话.它提示 token based authentication 作为解决方案.
I just read The Ins and Outs of Token-based Authentication. It claims scalability is the main issue with server based Authentication since server has to store sessions locally. And it prompts token based authentication as the cure.
但真的吗?
身份验证只是可能导致可伸缩性问题的可能位置之一.只要在服务器端存储了任何特定于用户的状态信息,无论它是存储在会话范围还是 Web 应用程序范围,这也会导致可伸缩性问题.说仅 token based authentication 就可以解决可扩展性问题过于夸张.还有太多其他因素,这些因素要强得多.仅仅因为基于令牌的身份验证是无状态的,并不意味着整个服务器都可以是无状态的.
Authentication is just one of the possible places that could cause scalability issue. As long as there's ANY user-specific state info stored on server-side, no matter it is stored at session scope or web application scope, that will also cause scalability issue. It is overly exaggerated to say token based authentication alone can solve scalability issue. There are too many other factors which are much stronger ones. Just because token-based authentication is stateless doesn't mean the whole server CAN BE stateless.
我们以JWT为例,通过JWT的定义:
Let's take JWT as an example, by the definition of JWT:
JSON Web Token (JWT) 是一个开放标准 (RFC 7519),它定义了一个用于安全传输信息的紧凑且独立的方式各方之间作为 JSON 对象.这些信息可以被验证和受信任,因为它经过数字签名.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
我认为 JWT 不适合存储身份验证数据之外的状态信息.因为常见的 JWT 存储合理的地方都有小尺寸限制,比如 HTTP 头、Cookie.
I don't think JWT is suitable for storing state info beyond authentication data. Because the common reasonable places for JWT storage all have small size limit, such as HTTP header, Cookie.
你同意吗?任何人都可以对此有所了解吗?
Do you agree? Anyone could shed some light on this?
推荐答案
您的应用程序是否需要会话状态来处理其他事情不会影响使用 JWT 令牌的可伸缩性特性.
Whether or not your application needs session state for other things does not affect the scalability characteristics of using JWT tokens.
完全有可能设计一个真正的无状态应用程序,在这种情况下,使用基于令牌的身份验证可以让您保持无状态状态.
It's perfectly possible to design a true stateless application, in which case the use of token based authentication allows you to remain stateless.
您不应使用安全令牌来存储会话信息,因为令牌已签名并且会话信息通常是易变的.每次其中一项声明发生变化时,发行人都需要对令牌进行签名.
You should not use security tokens to store session info as tokens are signed and session info is usually volatile. The issuer would need to resign the token each time one of the claims changes.
这篇关于基于令牌的身份验证和可扩展性?错觉?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
