基于REST API JWT令牌的身份验证安全性 拉拉韦尔/丁戈/ jwt
[英]Rest API JWT token based authentication security | laravel/dingo/jwt
问题描述
I am using JWT token based authentication for the authenticating my REST APIs exposed to mobile apps. 
我正在使用基于JWT令牌的身份验证来验证暴露给移动应用程序的REST API。 I have a login API where the user will be hitting to and get a JWT back as a response. 我有一个登录API,用户将在其中登录并获得JWT作为响应。 App has to use the JWT token for the rest of the requests. 应用程序必须对其余请求使用JWT令牌。 One question that struck during the development is. 在开发过程中遇到的一个问题是。
Once I give an authentication token to the user, he has access to rest of the set of APIs. 一旦我向用户提供了身份验证令牌,他就可以访问其余API集。
User 1 with JWT token T1 trying to access resources of user 2 is possible in my current design which is a flaw in my system. 在我当前的设计中,具有JWT令牌T1的用户1试图访问用户2的资源是可能的,这是我系统中的缺陷。 On each request do I have to check whether the user id in the token and the user id for which the process is requested matches and then proceed? 对于每个请求,我都必须检查令牌中的用户ID与请求该过程的用户ID是否匹配,然后继续吗? or is there any better way this is been handled some other way? 还是有其他更好的方法来处理呢?
I am using laravel framework with dingo rest and JWT lib. 我正在使用带有dingo rest和JWT lib的laravel框架。
Update 更新资料
Eg : 例如:
I as an individual got the endpoints from the app. 我个人是从应用程序获得端点的。 I logged in and received my jwt token which will be valid across rest of my resources. 我登录并收到了我的jwt令牌,该令牌将在其余资源中有效。 Now to get a list of products I have added using a different user id.I can do it this way 现在要获取使用其他用户ID添加的产品列表,我可以这样
My JWT token in the header 标头中的我的JWT令牌
GET /products/3 and 3 is not my user id!
In this case, Im just validating a jwt token, which will validate it and respond with the resource which is not MINE! 在这种情况下,我只是验证了一个jwt令牌,它将对其进行验证并使用非MINE的资源进行响应!
1 个解决方案
解决方案1
0 2015-12-19 14:24:23
TL;DR : It is imho quite common to use it this way, you should be good the way it is! TL; DR :以这种方式使用它是很常见的,您应该保持现状!
More detail : The point here is that the token is "obscure enough" so that there is an negligable chance a non-authorized user is obtaining the token from an authorized user. 详细信息 :这里的要点是令牌是“足够模糊的”,因此,非授权用户从授权用户获取令牌的机会微不足道。 In your example this means, that user 2 can with a very high probabilty not guess the token that user 1 is using. 在您的示例中,这意味着用户2可以以很高的概率不猜测用户1正在使用的令牌。
Of course this way may be prune to man-in-the-middle-attacks, so you should be sure to only transfer the tokens over a secure connection. 当然,这种方式可能适合中间人攻击,因此您应确保仅通过安全连接传输令牌。 I suggest "HTTPS only". 我建议“仅HTTPS”。 Also, you may think about only sending and receiving the tokens in the header, so they are not exposed in any content views. 另外,您可能会考虑仅在标头中发送和接收令牌,因此它们不会在任何内容视图中公开。
As a bit more background : Think about how PHP "standard" session cookies are working: The user (client) gets a session ID in a cookie and sends it back. 作为更多背景知识 :考虑一下PHP“标准”会话cookie的工作方式:用户(客户端)在cookie中获取会话ID并将其发送回去。 This is basically the same as you are doing here with the JWT, as user 2 could also somehow steal the cookie from user 1 here, and act on his behalf. 这基本上与您在JWT上所做的相同,因为用户2也可能以某种方式从此处的用户1窃取cookie,并代表他行事。 JWT even adds you a level with which you can easily confirm that you actually issued the token (provided you are using the RSA-keypair-style approach), which i think is an advantage over the PHP session ID cookie approach. JWT甚至为您添加了一个级别,您可以在该级别上轻松确认您是否实际发行了令牌(前提是您使用的是RSA密钥对样式方法),我认为这比PHP会话ID Cookie方法更具有优势。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.