简体繁体 English

如何在Spring中生成访问令牌

[英]How to generate the access token in Spring

原文 2018-02-02 12:41:52 1 3 java/ oauth

How can I generate an access token in java spring? 如何在Java Spring中生成访问令牌？

I have tried to create an access token myself, but each time I need to do database operation that is taking a lot of time. 我曾尝试自己创建访问令牌，但是每次我需要执行数据库操作时都会花费很多时间。 Is there any easy way to generate access token? 有什么简单的方法可以生成访问令牌？

3 个解决方案

You can use the jwt library. 您可以使用jwt库。 which will encode your data into 3 parts header, body payload and verified the signature. 它将您的数据编码为3部分标题，主体有效载荷并验证签名。

https://jwt.io/ https://jwt.io/

it is easy to encrypt and decrypt the token, you can able to find the jwt library for almost all languages. 加密和解密令牌很容易，您可以找到几乎所有语言的jwt库。

I'm assuming you mean you need to do database operations to validate the token. 我假设您的意思是您需要执行数据库操作来验证令牌。

You can use JWT and validate that without database queries. 您可以使用JWT进行验证，而无需数据库查询。 They have a java lib and you don't have to implement any of it. 他们有一个Java库，您无需实现任何一个。

If you adopt JWT as the format of access tokens, you may be able to avoid DB operations. 如果采用JWT作为访问令牌的格式，则可以避免数据库操作。 However, it would be better to compare pros & cons of JWT-based access tokens and DB-based access tokens. 但是，最好比较基于JWT的访问令牌和基于DB的访问令牌的优缺点。 Especially, note that there is no easy way to revoke JWT-based access tokens . 特别是，请注意， 没有简单的方法来撤销基于JWT的访问令牌 。 In addition, it is impossible to change attributes of JWT-based access tokens once they are issued. 此外，一旦颁发了基于JWT的访问令牌 ，就无法更改其属性 。

The following table excerpted from "7.1. Access Token Representation" in " Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings " lists characteristics of DB-based access tokens ( "Random String" in the table) and JWT-based access tokens ( "Self-Contained" in the table). 下表摘自《 OAuth和OpenID Connect讨论的全部实现者 》的“ 7.1。访问令牌表示形式” ，列出了基于DB的访问令牌（表中的“随机字符串” ）和基于JWT的访问令牌的特征。（表中的“自包含” ）。