我应该在Django Rest Framework中使用JWT或基本令牌认证吗？ [英] Should I use JWT or Basic Token authentication in Django Rest Framework?

问题描述

我将使用Django Rest Framework在我的API中实现令牌身份验证。
但是我不知道我是否应该使用基本标记内置的DRF或使用JSON Web令牌（JWT）标准（使用这个包 djangorestframework-jwt ）
我发现的唯一引用是在DRF文档中：

与内置的TokenAuthentication方案不同，JWT Authentication
不需要使用数据库来验证令牌。

有什么其他区别，优点或缺点要考虑？

注意：API将从网站（使用angularjs）和移动应用程序访问

解决方案

当查看当前令牌授权机制，我建议使用JWT令牌，无论平台如何。 JWT令牌包含所有权利要求，并可在客户端上安全解码。这意味着，不仅仅是接收到不给客户端提供信息的不透明令牌，您可以将令牌存储在令牌中，并在客户端上解码以构建您的界面。 JWT令牌是无状态的，因此您无需存储或跟踪服务器端，如果您扩展到多个服务器，那么这是有益的。它们也是安全的，因为您存储私有签名密钥服务器端，可以让您确保进入您的API的任何呼叫都使用您的授权API颁发的有效令牌。

&p JWT令牌与Angular客户端非常好地发挥。因为它们是JSON，您可以在Angular客户端中对它们进行解码，甚至将客户端ui元素直接绑定到您的声明（拥有管理员权限的用户可以看到管理员菜单，没有声明的用户将永远不会知道如果实现了权限，菜单就会存在）除此之外，JWT令牌仍然以与任何承载令牌（由auth api颁发，由客户端存储，在授权头文件中传递到资源api）相同的方式运行。 ）所以真的没有什么缺点使用它，我可以想到。

总而言之，您将在客户端和服务器之间来回减少工作以及较少的工作当您执行JWT令牌时，您的比例。

I'm about to implement Token Authentication in my API using Django Rest Framework. But I'm not sure if I should use the basic token build-in DRF or use the JSON Web Token (JWT) standard (using this package djangorestframework-jwt) The only reference that I found was in the DRF docs:

Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token.

Is there any other difference, advantages or disadvantages to consider?

Note: The API is gonna be accessed from the website (using angularjs) and by a mobile app

解决方案

When looking at current token authorization mechanisms, I would recommend using JWT tokens regardless of the platform. JWT tokens contain all of the claims within and can be decoded on the client safely. This means instead of just receiving an opaque token that gives no information to the client you can store claims in the token and decode on the client to build your interface. JWT tokens are stateless so you will have no need to store or keep track of them server side which is beneficial should you scale to multiple servers. They are also safe because you store the private signing key server side which allows you to be sure that any calls coming into your API are using a valid token that was issued by your authorization API.

JWT tokens play very nicely with Angular clients. Because they are JSON you can decode them in your Angular client and even bind the client ui elements directly to your claims (someone with an admin claim can see an admin menu and a user without that claim will never know the menu exists if implemented right).

Aside from this, a JWT token still behaves in the same way as any bearer token (issued by auth api, stored by client, passed to resource api in authorization header) so there really are no downsides to using it that I can think of.

In summary, you will have less back and forth between client and server as well as less work when you scale if you implement JWT tokens.

这篇关于我应该在Django Rest Framework中使用JWT或基本令牌认证吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！