堆栈内存溢出
  简体   繁体   English

使用Cookie和KONG API网关进行JWT身份验证

[英]JWT authentication using cookies with KONG API Gateway

 原文  2017-09-18 13:16:48       api/ jwt/ lumen/ kong/ api-gateway

问题描述

We are implementing a sample application using Kong API gateway with JWT authentication plugin. 我们正在使用带有JWT身份验证插件的Kong API网关来实现示例应用程序。

As refer in this thread , there are two ways to store JWT in the browser. 如本线程中所述 ,有两种方法将JWT存储在浏览器中。 Web storage or cookies. 网络存储或cookie。 But web storage (ie session storage and local storage) can be vulnerable to cross-site scripting attack(XSS). 但是Web存储(即会话存储和本地存储)可能容易受到跨站点脚本攻击(XSS)的攻击。 So other option is cookie. 因此,另一个选择是cookie。 (Though CSRF should be taken care off) (尽管应注意CSRF)

I have two questions, 我有两个问题,

  1. If we use web storage to store JWT then is there any way to stop XSS. 如果我们使用Web存储来存储JWT,那么有什么方法可以停止XSS。 If yes then how it will work if the same page is open in the new tab or reload the same page ? 如果是,那么如果在新标签页中打开同一页面或重新加载同一页面,它将如何工作?

  2. Using cookie : We are able to send the cookies in the request. 使用cookie :我们能够在请求中发送cookie。 But KONG is authenticating the end point URL only if the JWT is set on headers ( Authorisation: Bearer token ) and not authenticating using cookies. 但是,只有在标头Authorisation: Bearer token上设置了JWT且不使用cookie进行身份验证时,KONG才对端点URL进行身份验证。 Is there any way to verify JWT which is set in cookies using KONG API Gateway ? 有什么方法可以使用KONG API Gateway验证cookie中设置的JWT吗?

3 个解决方案

解决方案1
 2  2017-09-18 13:24:55

There is nothing wrong about storing JWT in webStorage, unless you store sensitive data in your JWT (but you should never ever do that, since you can decode it easily). 将JWT存储在webStorage中没有什么错,除非您将敏感数据存储在JWT中(但是永远不要这样做,因为您可以轻松地对其进行解码)。 The point is that your token shares a secret, that only your servers knows (that's what makes it secure), you should just put an expiration time to make it a lot safer. 关键是您的令牌共享一个秘密,只有您的服务器知道(这才使它变得安全),您应该放置一个到期时间以使其更加安全。

And no, you cannot pass a JWT token in cookies, it's only in headers (here Authorization), I don't know about KONG API, but they should not allow that ! 不,您不能在cookie中传递JWT令牌,仅在标头(此处为授权)中传递,我不知道KONG API,但他们不应该这样做!

(ref about JWT is here ) (有关JWT的参考资料在这里

解决方案2
 1  2017-09-26 23:19:14

In order to add to @antoine2vey answer, 为了添加到@ antoine2vey答案,

It looks like your on page application is being served from a protected API in Kong at the "/" (slash) resource. 看起来您的页面应用程序是从Kong的受保护API的“ /”(斜杠)资源提供的。 I would suggest that you would be able to get the page content from an unprotected "/" (slash) resource and then run javascript code would have access to the cookie and would be able to perform the request to the protected resource passing the JWT token in the header where Kong would be able to validate for you. 我建议您将能够从不受保护的“ /”(斜杠)资源中获取页面内容,然后运行javascript代码即可访问Cookie,并且能够通过JWT令牌对受保护资源执行请求在标题中,Kong可以为您验证。

Does this make sense? 这有意义吗?

解决方案3
 0 已采纳  2017-11-08 07:21:08

Cookie based authentication is implemented. 实现了基于Cookie的身份验证。 https://github.com/Kong/kong/pull/2973 https://github.com/Kong/kong/pull/2973

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Kong Api 网关集群 - Kong Api Gateway Clustering 如何使用Kong Gateway在API中传递access_token - How to pass access_token in API using kong gateway 使用 Kong 保护 api - Secure api using Kong 使用公共微服务验证Api Gateway(Kong) - Authenticating Api Gateway (Kong) With A Public MicroService 使用 svelkit 中的 JWT 进行身份验证 API - Authentication API with JWT in svelkit 使用JWT的Laravel API身份验证 - Laravel API Authentication with JWT 使用JSON Web令牌jwt-simple进行API身份验证 - API authentication using json web tokens jwt-simple 使用 Cognito & API Gateway & Lambda (Python) 的无密码身份验证流程 - Passwordless authentication flow using Cognito & API Gateway & Lambda (Python) AWS API 网关方法使用 AWS_IAM 进行身份验证 - AWS API Gateway Method Authentication using AWS_IAM API 网关和应用后端认证 - API gateway and app backend authentication
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM