在http响应中，在html文档旁边发送JWT [英] Sending JWT alongside html document in http response

问题描述

当需要发送 html文档正文时，如何在客户端未使用 Cookie 进行身份验证后向客户发送 JWT

验证和利用的文档，博客文章和教程使用网络存储API 保存 jwt 客户端。但是所有这些都是微小的例子，而不是在http响应正文中发送一个 html文档，这在我可以想象的一些真实世界的应用中是必要的。可以在同一响应正文中的 cookie http响应标头和 html文档中发送 以响应 jwt 而不是 cookie 来执行此操作。我知道如果要在响应正文中的 html文档旁边的响应标头中发送 jwt ，则没有API可以从浏览器中的javascript访问响应标头。 p>

解决方案

我已经在我的项目中处理了你的场景，它可以通过两种方式完成，取决于你使用的技术栈和环境约束

发送JWT嵌入在HTML页面中作为标记。它不会在页面上呈现，但可以由你解析。但是，它将在浏览器的源窗口中可见，但它并不重要，因为那将是一个受保护的页面，一旦下一页呈现，它将不可用。

方法2

您可以使用仅限http约束首次在Cookie中发送JWT。通过https处理它会带来额外的杠杆。此外，像你提到的，你可以删除cookie。
如果您在客户端使用AngularJS，您可以通过将XHR限制在同一个域中来保护Cookie，避免了删除Cookie的额外任务。

事实上，@ user981375提到了重定向，这也可以通过上面的方法1来处理。在我的情况下，服务器成功登录后提供重定向URL，但是，ajax将不能看到一个302标头，而是会看到一个200.所以我们拦截了那部分在服务器和嵌入的令牌到200响应页面，即重定向页面由客户端解析。

How to send the JWT to a client just after client has authenticated without using Cookies when an html document body is needed to be sent too?

There are docs, blog posts, and tutorials, explaining the cookie-less jwt authentication and leveraging the use of Web Storage API to save the jwt client side. But all of them are trivial examples without sending an html document in http response body upon an authentication which is necessary in some real world applications I can imagine. A cookie can be sent in cookie http response header alongside with an html document in same response's body, I could not still come across a post explaining to do this with a jwt in response instead of a cookie. As I know there is not an API to reach the response headers from javascript in browser if one want to send the jwt in response headers alongside html document in response body.

解决方案

I have handled your scenario in my project and it can be done in two ways depending on your technology stack you are using and environment constraints, and using OAuth is not mandatory.

Method 1

Send the JWT embedded in the HTML page as a tag. It wont be rendered on the page but can be parsed by you. However, it will be visible in the source window of the browser but it doesnt matter as that would be a protected page and once the next page is rendered, it will not be available.

Method 2

You can send the JWT in a cookie for the first time with a http-only constraint. Handling it over https would bring in extra leverage. Also, like you mentioned, you can delete the cookie. In case you are using AngularJS on your client side, you have the provision of securing cookies by restricting XHR from the same domain which would avoid the extra task of deleting the cookie.

In fact, @user981375 was mentioning about redirection which can be handled too by Method 1 above. In my case, server provided the redirection URL after successful login however, ajax wouldnt be able to see a 302 header instead would see a 200. So we intercepted that part on server and embedded the token into the 200 response page, i.e. redirected page which is parsed by the client.

这篇关于在http响应中，在html文档旁边发送JWT的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！