如何获得JWT？ [英] How to get a JWT?

问题描述

在阅读有关保护与JWTs一个应用程序，也就是常说的客户端最初从服务器获取令牌，然后与每个请求的API一起发送此令牌。

When reading about securing an app with JWTs, it is often said that the client initially gets a token from the server and then sends this token along with every request to the API.

该方法的伟大工程，一旦你有一个令牌。据我所看到的，传送令牌的默认方法是使用HTTP头，即以不记名验证作为令牌值preFIX。

This approach works great, once you have a token. As far as I can see, the default way of transferring a token is using an HTTP header, namely Authentication with Bearer as the prefix of the token as value.

不过 - 有同样的最初如何得到令牌的默认方式？在样品你经常看到，这只是一个简单的请求和HTTP端点，即然后返回JSON。但我不知道是否有更多的东西一个标准的工作流程是如描述了应该是这个端点的名称，如OAuth2用户？

But - is there also a default way of how to get the token initially? In samples you often see that this is just a simple request to and HTTP endpoint, that then returns JSON. But I was wondering whether there is something more of a standard workflow that e.g. describes what should be the name of this endpoint, as in OAuth2?

任何提示？

推荐答案

智威汤逊是这是在使用的令牌格式安全协议如的OAuth2 和 OpenID的连接

JWT is a token format which is used in security protocols like OAuth2 and OpenID Connect.

您使用的是如何获得令牌从授权服务器取决于授予流动。

How to get the token from the authorization server depends on the grant flow you are using.

有4批中的OAuth 2.0的，用于不同的客户端和用途定义流。

There are 4 grant flows defined in OAuth 2.0 that are intended for different clients and uses.

这赠款用于Web应用程序。用户的浏览器被重定向（HTTP 302），以授权服务器。授权服务器需要认证用户（通过用户名/密码，智能卡，双因素身份验证等等）的护理。

This grant is intended for web applications. The user's browser is redirected (HTTP 302) to the authorization server. The authorization server takes care of authenticating the user (via username/password, smartcard, 2-factor auth whatever).

授权服务器，然后将浏览器重定向回​​$ P $在以code中的Web应用程序pregistered端点。然后，Web应用程序使用它自己的凭据（客户端ID和客户端密钥），并授权code，从授权服务器请求一个访问令牌。

The authorization server then redirect the browser back to a preregistered endpoint in the web application with a code. The web application then uses it's own credentials (client id and client secret) and the authorization code to request an access token from the authorization server.

授权服务器返回给Web应用程序的访问令牌和一个刷新令牌。请注意，浏览器（不可信）永远看不到的访问令牌。只有Web应用程序（信任）先后获得访问令牌，并刷新令牌。

The authorization server returns an access token and a refresh token to the web application. Note that the browser (untrusted) never sees the access token. Only the web application (trusted) has access to the access token and refresh token.

因为它是基于HTTP重定向这笔赠款是很难从其他客户比web应用程序使用。

This grant is difficult to use from other clients than web applications as it's based on HTTP redirection.

这赠款用于诸如JavaScript应用程序或第三方移动客户端不可信的客户端（从应用商店下载的）。

This grant is used for untrusted clients like JavaScript applications or 3rd party mobile clients (the ones you download from the app-store).

这也重定向浏览器（或浏览器控制），授权服务器，但不是认证成功后返回code到浏览器，它象征直接返回访问。因为客户端不被信任，补助金不返回刷新令牌。访问令牌需要存储在某个地方，并很容易受到XSS攻击。

It also redirects a browser (or browser control) to the authorization server, but instead of returning a code to the browser after successful authentication, it returns an access token directly. Because the client is not trusted, the grant does not return a refresh token. The access token needs to be stored somewhere and is vulnerable to XSS attacks.

即使你没有得到一个刷新令牌，有些实现确实提供了一种通过在一个隐藏的iframe到授权服务器通信，并使用cookie的授权服务器本身进行认证，以获得新的访问令牌。

Even though you do not get a refresh token, some implementations do provide a way to get a new access token by communicating to the authorization server in a hidden IFRAME and using cookies to authenticate with the authorization server itself.

这是授予可信的客户，例如桌面应用程序或安全存储功能的第一方移动应用程序。客户端应用程序要求他们的用户名/密码的用户（资源所有者），然后将其发送到授权服务器以获得访问令牌，令牌刷新。

This grant is for trusted clients, for example a desktop application or a first party mobile app with secure storage capabilities. The client application asks the user (the resource owner) for their username/password and then sends this to the authorization server to acquire an access token and refresh token.

一旦客户有访问令牌，它可以抛弃密码，因为它可以使用刷新标记获得新的访问令牌。这使得它比基本身份验证更安全。

Once the client has the access token, it can discard the password as it can use the refresh tokens to get new access tokens. This makes it more secure than basic authentication.

本批不依赖于浏览器重定向，可以从它可以执行HTTP请求的任何应用程序可以轻松使用。

This grant does not depend on browser redirects and can be easily used from any application that can execute HTTP requests.

此批是为了验证客户端（应用），而不是客户端的用户。

This grant is meant to authenticate the client (application) instead of the user of the client.

在这种情况下，客户端直接提交其客户端ID和秘密授权服务器获得一个访问和刷新令牌。

In this case, the client submits its client id and secret directly to the authorization server to acquire an access and refresh token.

所以基本上前两个助学金取决于浏览器一样的功能（HTTP重定向，HTML登录页面），其中另外两笔赠款只需要一个HTTP协议栈与授权服务器通信。

So basically the first two grants depend on browser-like capabilities (HTTP redirects, HTML login pages), where the other two grants only need an HTTP stack to communicate with the authorization server.

这篇关于如何获得JWT？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！