如何正确使用Bearer令牌？ [英] How to properly use Bearer tokens?

问题描述

我在 PHP 中创建了一个授权系统，我遇到了传递JWT令牌的Bearer方案，我读了 RFC 6750 。我有以下疑问：

I'm making an authorization system in PHP, and I came across this Bearer scheme of passing JWT tokens, I read RFC 6750. I've got the following doubts:

1. 这如何提高安全性？


2. 服务器在成功授权和登录后，客户端在其正文中响应JWT令牌，现在当客户端发出另一个请求时，我不清楚如何实际执行此操作，我想在请求中的Authorization头中从客户端发送令牌，所以我现在应该只将Bearer作为我在服务器上一次响应中收到的令牌的前缀，如果是，那么服务器在接收Authorization头时，应该只用空格分割字符串，并取得获得的第二个值数组然后解码吗？例如授权：Bearer fdbghfbfgbjhg_something ，服务器应如何处理此问题， decodeFunc（explode（，$ this-> getRequest（） - > getHeader（授权））[1]）？

1. How is this improving the security?
2. The server responses the client with a JWT token in its body after a successful authorization and login, and now when the client makes another request, I am not clear how to actually do that, I want to send token from client in Authorization header in the request, so now should I just prefix "Bearer" to the token which I received in the previous response from the server and If yes, then server on receiving the Authorization header, should just split the string with space, and take the second value from the obtained array and then decode it? For example Authorization: Bearer fdbghfbfgbjhg_something, how is server supposed to handle this, decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])?

推荐答案

1.提高安全性，因为如果在url发送的标头中没有发送令牌，它将被网络系统，服务器日志记录....

1.Improving the security because if token is not sent in the header that sent in url, it will be logged by the network system, the server log ....

2.获得持票人代币的良好功能

2.A good function to get Bearer tokens

/** 
 * Get hearder Authorization
 * */
function getAuthorizationHeader(){
        $headers = null;
        if (isset($_SERVER['Authorization'])) {
            $headers = trim($_SERVER["Authorization"]);
        }
        else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
            $headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
        } elseif (function_exists('apache_request_headers')) {
            $requestHeaders = apache_request_headers();
            // Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
            $requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
            //print_r($requestHeaders);
            if (isset($requestHeaders['Authorization'])) {
                $headers = trim($requestHeaders['Authorization']);
            }
        }
        return $headers;
    }
/**
 * get access token from header
 * */
function getBearerToken() {
    $headers = $this->getAuthorizationHeader();
    // HEADER: Get the access token from the header
    if (!empty($headers)) {
        if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
            return $matches[1];
        }
    }
    return null;
}

这篇关于如何正确使用Bearer令牌？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！