[英]JWT access token vs refresh token (creating)
I am creating a Asp.net Core REST service.我正在创建一个 Asp.net Core REST 服务。 Currently doing authentication via JWT bearer tokens.目前通过 JWT 不记名令牌进行身份验证。
Right now, my code looks like:现在,我的代码如下所示:
DateTimeOffset dtNow = DateTime.Now;
Claim[] claims = new Claim[]
{
new Claim(JwtRegisteredClaimNames.Sub, strUsername),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.Iat, dtNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)
};
JwtSecurityToken jwtAccess = new JwtSecurityToken(_options.Issuer, _options.Audience, claims, dtNow.DateTime, dtNow.DateTime.Add(_options.AccessTokenExpiration),
_options.SigningCredentials);
var response = new
{
access_token = new JwtSecurityTokenHandler().WriteToken(jwtAccess),
token_type = "Bearer",
expires_in = (int)_options.AccessTokenExpiration.TotalSeconds,
refresh_token = ""
};
Questions:问题:
This is all dependent on the needs of your application but these do sound like reasonable numbers.这完全取决于您的应用程序的需求,但这些听起来确实是合理的数字。
They are not created the same.它们不是相同的。 An access token is typically a token that contains the JWT.访问令牌通常是包含 JWT 的令牌。 A refresh token is a reference token that must be saved on the provider and the looked back up when it is passed in for a new access token.刷新令牌是一个参考令牌,必须保存在提供者上,并在传入新访问令牌时进行查找。
Refresh tokens do not have a signature to verify.刷新令牌没有要验证的签名。 Basically you will pass over the information like client Id and secret plus the refresh token and this will allow you to get a new access token.基本上,您将传递诸如客户端 ID 和机密之类的信息以及刷新令牌,这将允许您获得新的访问令牌。 Like a username and password being saved for a long period of time that can be blacklisted if necessary.就像长期保存的用户名和密码一样,如果需要,可以将其列入黑名单。
No you can update the refresh token every time they request a new access token this will give you a "sliding" refresh token.不,您可以在每次他们请求新的访问令牌时更新刷新令牌,这将为您提供“滑动”刷新令牌。
They can have different tokens for each app but per application it is fine to overwrite their previous refresh token when they do a new login.他们可以为每个应用程序使用不同的令牌,但每个应用程序在进行新登录时覆盖之前的刷新令牌是可以的。
Yes the users will have to get a new access token ever ~30 minutes but this also helps when your role provider is not the same as your application.是的,用户每 30 分钟都必须获得一个新的访问令牌,但这在您的角色提供者与您的应用程序不同时也有帮助。 This gives an API a way to look at roles without having to call the authorization server.这为 API 提供了一种无需调用授权服务器即可查看角色的方法。 The number of requests saves is drastic when you house the information in the token and only have to re-get that information every 30 minutes instead of an extra HTTP request to a separate server for every API call or post back.当您将信息保存在令牌中并且只需每 30 分钟重新获取该信息而不是为每个 API 调用或回发向单独的服务器发送额外的 HTTP 请求时,节省的请求数量会非常多。
Hopefully some of this was helpful.希望其中一些是有帮助的。 I am speaking for minor experience but there are very good resources explaining this stuff from Auth0 or basically anything from the guys on IdentityServer3 (and now 4)我说的是次要经验,但有很好的资源解释了来自Auth0 的这些东西,或者基本上来自 IdentityServer3(现在是 4)上的人的任何东西
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.