[英]How do I authenticate my user on a custom backend using my firebase JWT?
I successfully authenticated my user with my firebase app in the browser. 我在浏览器中使用Firebase应用成功验证了用户身份。 Now I want my custom backend to know that the user is authenticated. 现在,我希望自定义后端知道用户已通过身份验证。
How do I go about this? 我该怎么办? Can I tell the client to include the firebase JWT in every request to my backend, so that the backend knows the user is logged in? 我可以告诉客户端在对后端的每个请求中都包含Firebase JWT,以便后端知道用户已登录吗? (This is necessary so that the backend will not redirect a logged-in user to the login page, for example.) (这是必要的,以便后端不会将已登录的用户重定向到登录页面。)
Background Research: 背景研究:
The firebase authentication docs explain how to get the firebase token, send it to your custom backend, and then do something on the backend with the user data. Firebase身份验证文档介绍了如何获取Firebase令牌,将其发送到您的自定义后端,然后在后端使用用户数据执行某些操作。 That's fine for an XHR request, where you can tell the browser to include the token as a header. 对于XHR请求,这很好,您可以在其中告诉浏览器将令牌包括为标头。 I don't understand how to get the browser to include the token in a normal HTTP request to the server, like when the user opens a new tab and navigates to the admin panel at https://example.com/admin
. 我不明白如何让浏览器将令牌包含在对服务器的常规HTTP请求中,例如当用户打开新标签并导航至https://example.com/admin
的管理面板时。
This is a related question , but I didn't understand the answer (or at least how I could apply it to my use case). 这是一个相关的问题 ,但是我不明白答案(或者至少不知道如何将其应用于用例)。
Here's how the good guys at jwt.io explain it: 这是jwt.io的好人如何解释它:
Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. 每当用户想要访问受保护的路由或资源时,用户代理通常应在Bearer模式中使用授权头发送JWT。 The content of the header should look like the following: 标头的内容应如下所示:
Authorization: Bearer <token> 授权:不记名<token>
This is a stateless authentication mechanism as the user state is never saved in server memory. 这是一种无状态的身份验证机制,因为用户状态永远不会保存在服务器内存中。 The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources. 服务器的受保护路由将在Authorization标头中检查有效的JWT,如果存在,则将允许用户访问受保护的资源。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.