如果服务之间的令牌过期怎么办?
[英]What if token is expired between services?
问题描述
I've been reading up on communication between services/microservices. 
我一直在阅读服务/微服务之间的通信。
The API Gateway authenticates the request and passes an access token (eg JSON Web Token) that securely identifies the requestor in each request to the services.
via http://microservices.io 通过http://microservices.io
And I'm passing access-token of a user to downstream services, So it looks more or less like this: 而且我将用户的访问令牌传递给下游服务,所以看起来或多或少是这样的:
But what if a token is expired between microservices? 但是如果微服务之间的令牌过期怎么办?
There are plenty of ways to solve this problem, those seem reasonable: 有很多方法可以解决这个问题,这些似乎是合理的:
Validate access-token of a user and create short-lived JWT in API Gateway (kind of internal tokens)
验证用户的访问令牌并在API网关中创建短期JWT(内部令牌的种类) -
Each microservice validates the JWT and generates its own JWT to communicates with other microservices according to scope rules
每个微服务验证JWT并生成其自己的JWT以根据范围规则与其他微服务通信
So we would have Auth service to validate or request tokens. 因此,我们将使用Auth服务来验证或请求令牌。
The questing is: 任务是:
In order to be sure if token will be not expired during the journey through services we can just make a check in API Gateway layer: if a token is expired in n(~1) minutes reject it, so user have to use refresh token to obtain a new access token. 为了确保在通过服务的过程中令牌是否会过期,我们可以在API网关层中进行检查:如果令牌在n(~1)分钟内过期,则拒绝它,因此用户必须使用刷新令牌获取新的访问令牌。 It means token always will be valid for the time necessary to complete the request. 这意味着令牌始终在完成请求所需的时间内有效。 What are pros and cons of this approach? 这种方法的优点和缺点是什么?
1 个解决方案
解决方案1
2 2018-12-04 11:08:39
I have the same question, so Google lead me to here. 我有同样的问题,所以Google引导我到这里来。 I hope it's not too late to response this question after half year. 我希望半年后回答这个问题还为时不晚。
I cant say this is an "Answer", but I hope my idea may inspire anyone something. 我不能说这是一个“答案”,但我希望我的想法可以启发任何人的东西。 So it's a kind of "idea sharing". 所以这是一种“想法分享”。
I think there are two ways to deal with this issue: 我认为有两种方法可以解决这个问题:
if the token will expire in 10 minutes, refresh it at 6 minutes (just an example).
如果令牌将在10分钟后过期,请在6分钟时刷新(仅举例)。 So make sure the situation you said will never happen by adjusting expire time and refresh time. 因此,通过调整过期时间和刷新时间,确保您所说的情况永远不会发生。 Another way is adjust the system architecture.
另一种方法是调整系统架构。 Split APIs into internal and external. 将API拆分为内部和外部。 All external's token will be check at API Gateway, then there is no token within internal services. 将在API网关处检查所有外部令牌,然后内部服务中没有令牌。
I think we have a lot of methods to avoid the issue mentioned by this question. 我认为我们有很多方法可以避免这个问题提到的问题。 Based on different particular project requirement, we should consider to use different security design. 根据不同的特定项目要求,我们应该考虑使用不同的安全设计。 So there is no "silver bullet". 所以没有“银弹”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.