如何正确处理JWT刷新？ [英] How to properly handle a JWT refresh?

问题描述

我有一个Android应用程序。它与 Jersey 开发的 REST API 连接。我的REST端点由令牌保护。下面是我如何生成它们。

I have an android app. It connects with a REST API developed with Jersey. My REST End points are secured with Tokens. Below is how I generate them.

Algorithm algorithm = Algorithm.HMAC256(secret);
String token = JWT.create()
    .withClaim("userName","myusername)
    .withExpiresAt(expirationDate)
    .sign(algorithm);

以下是我验证令牌的方法

Below is how I validate the token

public boolean validateTokenHMAC256(String token, String secret) throws UnsupportedEncodingException, JWTVerificationException
    {       
        Algorithm algorithm = Algorithm.HMAC256(secret);


        JWTVerifier verifier = JWT.require(algorithm) 
                .build(); //Reusable verifier instance
            DecodedJWT jwt = verifier.verify(token);

            Claim usernameClaim = jwt.getClaim("username");
            String username = usernameClaim.asString();
            System.out.println(username);


        return true;
    }

在我的REST API中，我有一个过滤器，该过滤器检查每个请求以查看是否令牌就是这样是。以下是代码。

In my REST API I have a filter and that filter checks every request to see whether the token is as it is. Below is the code.

@Secured
@Provider
@Priority(Priorities.AUTHENTICATION)
public class AuthenticationFilter implements ContainerRequestFilter{

    //private static String authorizationSecret = "ZXW24xGr9Dqf9sq5Dp8ZAn5nSnuZwux2QxdvcH3wQGqYteJ5yMTw5T8DBUJPbySR";

    public AuthenticationFilter()
    {
        System.out.println("test printing");
    }

    @Override
    public void filter(ContainerRequestContext crc) throws IOException
    {
        String headerString = crc.getHeaderString("Bearer");
        System.out.println("bluh: "+headerString);
        System.out.println("test printing");

        try
        {
            boolean validateToken = validateToken(headerString, AuthKey.authorizationSecret);
            System.out.println("valid");
        }
        catch(Exception e)
        {
            System.out.println("invalid");
            crc.abortWith(
                Response.status(Response.Status.UNAUTHORIZED).build());
        }

    }

    private boolean validateToken(String strToken, String secret) throws UnsupportedEncodingException, JWTVerificationException
    {
        Token token = new Token();
        return token.validateTokenHMAC256(strToken,secret);
    }



}

当用户登录应用程序时，将调用上述代码。但是令牌将在60分钟后过期。我知道在令牌过期后，我必须让用户返回登录屏幕或刷新令牌。我在此处和这里

The above code will be called when the user login to the application. However the token will be expired in 60 minutes. I know that after the token is expired either I have to take the user back to sign in screen or refresh the token. I went through the advices in here and here

但我不理解以下内容。

1. 如何确定令牌是否必须续订？我认为我应该在它过期后这样做，但似乎并非如此。如果我要求它刷新 now< exp ，它将在每个请求中刷新。

1. How can I figure out whether the token has to be renewed? I thought I should do that after it is expired, but seems that is not the case. If I ask it to refresh in now<exp it will refresh in every request.

怎么能我将此令牌分配并发送给用户？目前，当用户登录时，他将获得令牌并将其保存在变量中。为了使刷新的令牌工作，我是否必须再次调用 login 方法（因此令牌将被发送给用户）或JWT它自己将处理案例？

How can I assign and send this token back to the user? Currently when the user login on, he will get the token and he will save it in a variable. For the refreshed token to work, do I have to call the login method again (So the token will be sent to the user) or JWT it self will handle the case?

我如何使用 java-实际引用jwt ？

推荐答案

1. 如何确定令牌是否必须续订？我认为我应该在它过期后这样做，但似乎并非如此。如果我要求它现在刷新
   

1. How can I figure out whether the token has to be renewed? I thought I should do that after it is expired, but seems that is not the case. If I ask it to refresh in now

您需要在令牌过期之前刷新令牌。确定您的保单：

You need to refresh the token before it is expired. Decide your policy:

• 在每个请求中发出一个新令牌

• issue a fresh token in every request

在当前的令牌即将到期时发出新令牌。例如10分钟

issue a fresh token when the current one is close to expire. e.g. 10 min

让客户端应用程序在需要时使用api的刷新服务请求新令牌。例如

let client app request a new token when it needs it using a "refresh service" of your api. For example

@GET
@Path("/jwt/refresh")
@Produces(MediaType.TEXT_HTML)
public String refresh(){
    //Build a returns a fresh JWT to client 
}

1. 如何分配并将此令牌发回给用户？

如果您发出在请求期间的新令牌，您可以将其返回到客户端在处理响应期间将读取的特殊标头中。如果您发布如上所述的刷新服务，那么客户端将在当前JWT接近到期时独立调用它

If you issue a fresh token during a request, you can return it in a special header that client will read during processing of the response. If you publish a "refresh" service as described above, then the client will call it independently when the current JWT is close to expire

重定向到登录方法不是很好替代方案，因为你将失去当前的请求

Redirect to login method is not a good alternative because you will lose the current request

1. 如何使用java-实际刷新jwt

只需发出新令牌

这篇关于如何正确处理JWT刷新？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！