智威汤逊:如何处理GET请求,当用户打开一个新标签? [英] JWT: how to handle GET requests when user opens a new tab?
问题描述
有使用时,智威汤逊在上API为中心的应用程序Cookies和我的理解是,你可以通过浏览器访问应用程序时,存储在sessionStorage的令牌是一个很大的优势。
您可以在JS code设置了一个拦截注入对Authorization头的JWT令牌GET请求 - 只要这些GET请求是从同一个code,它认证的用户发
There is a lot of advantages when using JWT over Cookies on API-centric apps and I understand that you can store the token on sessionStorage when accessing the app via a browser. You can set an interceptor on your JS code to inject the JWT token on Authorization header for GET requests -- as long as these GET requests are being made from the same code that authenticated the user.
但是,当用户进行身份验证,然后打开一个新的标签,并试图访问应用程序/网站不同的禁区(甚至同一地区)会发生什么?在这种情况下,没有拦截注入的新选项卡上的Authorization头标记。我想,服务器将收到的GET请求,寻找在授权头中的JWT令牌,会找不到它,拒绝了请求。
But what happens when the user is authenticated, then opens a new tab and tries to access a different restricted area (or even the same area) of the app/site? In this case, there is no interceptor to inject the token on the Authorization header on the new tab. I suppose the server will receive the GET request, look for a JWT token on the Authorization header and will not find it, rejecting the request.
当您使用的是饼干,他们总是通过浏览器发送本身,你不担心新的标签和认证。
When you are using Cookies, they are always sent by the browser natively and you don't have to worry about new tabs and authentication.
有没有办法来设置授权头为全球浏览器上的域用户在第一个选项卡认证的时刻?什么是这件事情的常用解决方案,如果有的话?
Is there a way to set up the Authorization header globally for the domain on the browser the moment the user authenticates in the first tab? What are the usual solutions for this matter, if any?
推荐答案
在访问受保护的URL没有正确的凭据(如JWT)的浏览器将被重定向到一个特定端点(如授权服务器上),在里面得到一个新的JWT。
Upon accessing a protected URL without the right credentials (like a JWT) the browser would be redirected to a specific endpoint (e.g. on the Authorization Server) where it can get a new JWT.
这会发生,例如在OpenID的连接隐流:的http://的OpenID .NET /规格/ OpenID的连接隐-1_0.html
This happens for example in the OpenID Connect Implicit flow: http://openid.net/specs/openid-connect-implicit-1_0.html
但是,这也将是可能的了JWT存储在cookie中。这只是不是presenting JWTs标准的方式所以这将是具体到您的客户端/浏览器和保护的应用程序。
But it would also be possible to store the JWT in a cookie. That's just not a standardized way of presenting JWTs so it would be specific to your client/browser and the protected application.
这篇关于智威汤逊:如何处理GET请求,当用户打开一个新标签?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
