堆栈内存溢出
  简体   繁体   English

Django:基于 DRF 令牌的身份验证 VS JSON Web 令牌

[英]Django : DRF Token based Authentication VS JSON Web Token

 原文  2015-07-24 00:57:35       json/ django/ rest/ django-rest-framework/ tastypie

问题描述

I am building a real world application where users will access the app primarily from Android, iOS devices as well as Desktops.我正在构建一个真实世界的应用程序,用户将主要从 Android、iOS 设备以及桌面访问该应用程序。

From my elementary research, I have realized that token based authentication mechanism is more better and elegant for client-server models as compared to session based authentication.从我的初步研究中,我意识到与基于会话的身份验证相比,基于令牌的身份验证机制对于客户端-服务器模型来说更好、更优雅。

In Django, I have found two popular ways to do this -在 Django 中,我找到了两种流行的方法来做到这一点 -

  1. http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
  2. http://getblimp.github.io/django-rest-framework-jwt/ http://getblimp.github.io/django-rest-framework-jwt/

From what I understood, option 2] is an extension of 1] except that the Token is in the form of JSON(serialized).据我了解,选项 2] 是 1] 的扩展,除了 Token 是 JSON(序列化)的形式。 I would like to understand what other differences there are between option 1] and 2] and the advantages/disadvantages of choosing either.我想了解选项 1] 和选项 2] 之间还有哪些其他差异以及选择两者的优缺点。

1 个解决方案

解决方案1
 88  2016-11-08 20:22:28

They both carrying out similar tasks with few differences.他们都执行相似的任务,但几乎没有区别。

Token令牌

DRF's builtin Token Authentication DRF 的内置令牌认证

  1. One Token for all sessions所有会话一个令牌
  2. No time stamp on the token令牌上没有时间戳

DRF JWT Token Authentication DRF JWT 令牌认证

  1. One Token per session每个会话一个令牌
  2. Expiry timestamp on each token每个令牌的到期时间戳

Database access数据库访问

DRF's builtin Token Authentication DRF 的内置令牌认证

  1. Database access to fetch the user associated with the token获取与令牌关联的用户的数据库访问权限
  2. Verify user's status验证用户状态
  3. Authenticate the user验证用户

DRF JWT Token Authentication DRF JWT 令牌认证

  1. Decode token (get payload)解码令牌(获取有效载荷)
  2. Verify token timestamp (expiry)验证令牌时间戳(到期)
  3. Database access to fetch user associated with the id in the payload获取与有效负载中的 id 关联的用户的数据库访问权限
  4. Verify user's status验证用户状态
  5. Authenticate the user验证用户

Pros优点

DRF's builtin Token Authentication DRF 的内置令牌认证

  1. Allows forced-logout by replacing the token in the database (ex: password change)通过替换数据库中的令牌允许强制注销(例如:密码更改)

DRF JWT Token Authentication DRF JWT 令牌认证

  1. Token with an expiration time具有到期时间的令牌
  2. No database hit unless the token is valid除非令牌有效,否则不会命中数据库

Cons缺点

DRF's builtin Token Authentication DRF 的内置令牌认证

  1. Database hit on all requests数据库命中所有请求
  2. Single token for all sessions所有会话的单一令牌

DRF JWT Token Authentication DRF JWT 令牌认证

  1. Unable to recall the token without tracking it in the database无法在不在数据库中跟踪令牌的情况下召回令牌
  2. Once the token is issued, anyone with the token can make requests令牌发出后,任何拥有令牌的人都可以提出请求
  3. Specs are open to interpretations, no consensus on how to do refresh规范可以解释,没有就如何进行刷新达成共识

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 JSON 网络令牌 (JWT):授权与身份验证 - JSON Web Token (JWT) : Authorization vs Authentication JWT 与 cookies 用于基于令牌的身份验证 - JWT vs cookies for token-based authentication 基于AngularJS令牌的身份验证标头 - AngularJS token based authentication header 使用身份验证令牌保护JSON - Protection from json with authentication token C#中的JSON Web令牌 - JSON Web Token in C# json网络令牌+ img src - json web token + img src Go 中的 Json 网络令牌无效 - Invalid Json web token in Go JMeter 的 JSON Web 令牌生成器 - JSON web token generator for JMeter 用Java创建JSON Web令牌 - Creating JSON Web Token in Java 来自移动应用的基于令牌的身份验证 - Token-based authentication from a mobile app
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM