JWT:slim v3 和 Android 中的身份验证 [英] JWT: Authentication in slim v3 and Android
问题描述
我正在使用 Slim 框架将 JSON 返回到我的 Android 设备.我目前正在我的设备上登录.我使用 3 种不同的登录方式:Facebook、Google 和帐户登录.当他进行帐户登录时,他可以注册一个新帐户或使用现有帐户登录.
I am using Slim framework to return JSON to my Android device. I am currently working on login on my device. I am using 3 different ways to login: Facebook, Google and account login. When he takes account login he can register a new account or login with an existing one.
为了我的网络服务的安全性,我想使用 JWT 安全性.因此,我正在阅读和观看有关其工作原理的视频.我想我理解它是如何工作的,但我找不到任何关于如何正确实现它的信息.
For security on my web service I thought to use JWT security. So I am reading and watching video's about how it works. I think I understand how it works, but I cannot find anything about how to implement it correctly.
我用于 slim v3 的中间件称为:Slim-JWT-Auth.我发现 following link 在我的苗条框架中实现了这一点,它工作正常我想.
The middleware I use for slim v3 is called: Slim-JWT-Auth. I found the following link to implement this in my slim framework, and it works correctly I think.
现在我的问题:
- 如何生成我的令牌?
- 什么时候生成我的令牌?
- 在使用 Google 或 Facebook 登录时,我是否也需要令牌?因为他们已经使用了 Auth2.0 令牌?
我了解它的工作原理,但没有人谈论何时以及如何实施它.那么我什么时候需要生成令牌(在登录网络服务时?),我需要在每次启动应用程序后生成一个令牌,还是只需要等到令牌过期?
I understand how it works but nobody is talking about when and how to implement it. So when do I need to generate the token (on login on the webservice?), and do I need to generate a token after every start of the app, or do I just need to wait until the token expires?
推荐答案
如何生成我的 Token?
由于中间件已经包含 firebase/php-jwt 库,您可以使用它来生成令牌.
Since the middleware already includes firebase/php-jwt library you can use it to generate the token.
$now = new DateTime();
$future = new DateTime("now +2 hours");
$server = $request->getServerParams();
$payload = [
"iat" => $now->getTimeStamp(),
"exp" => $future->getTimeStamp(),
"sub" => $server["PHP_AUTH_USER"]
];
$secret = "supersecretkeyyoushouldnotcommittogithub";
$token = JWT::encode($payload, $secret, "HS256");
什么时候生成我的令牌?
例如,在您的 api 中,您可以包含一个受密码保护的路由,该路由会返回令牌.除了 /token 之外的所有其他路由都经过 JWT 身份验证.客户端可以在每个请求中请求令牌,或者总是在旧请求过期之前进行位.
In your api you can for example include a password protected route which returns the token. All other routes except /token are JWT authenticated. Client can request token with every request or just always bit before the old one expires.
$app->add(new SlimMiddlewareHttpBasicAuthentication([
"path" => "/token",
"users" => [
"test" => "test"
]
]);
$app->add(new SlimMiddlewareJwtAuthentication([
"secret" => "supersecretkeyyoushouldnotcommittogithub"
"rules" => [
new RequestPathRule([
"path" => "/",
"passthrough" => ["/token"]
])
]
]);
$app->post("/token", function ($request, $response, $arguments) {
$now = new DateTime();
$future = new DateTime("now +2 hours");
$server = $request->getServerParams();
$payload = [
"iat" => $now->getTimeStamp(),
"exp" => $future->getTimeStamp(),
"sub" => $server["PHP_AUTH_USER"],
];
$secret = "supersecretkeyyoushouldnotcommittogithub";
$token = JWT::encode($payload, $secret, "HS256");
$data["status"] = "ok";
$data["token"] = $token;
return $response->withStatus(201)
->withHeader("Content-Type", "application/json")
->write(json_encode($data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT));
});
使用 Google 或 Facebook 登录时是否还需要令牌?因为他们已经使用了 Auth2.0 令牌?
对此没有明确的答案.这取决于".例如,您可以使用 Facebook 或 Google 验证您的 /token 路由并从那里返回您自己的 JWT 令牌.
There is no clear answer to this. It "depends". You could for example authenticate your /token route with Facebook or Google and return your own JWT token from there.
您可能想要的上述所有内容的示例实现正在进行中检查.
There is an work in progress more detailed example implementation of everything above you might want to check.
这篇关于JWT:slim v3 和 Android 中的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
