[英]JWT Token Storage
I have been going through some of my .NET Core2 services and adding some JWT authentication to them to provide some basic security. 我一直在浏览一些.NET Core2服务并为它们添加一些JWT身份验证以提供一些基本的安全性。
I created a new ProvisioningService
which has an endpoint that builds a token and returns it: 我创建了一个新的ProvisioningService
,它有一个构建令牌并返回它的端点:
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_config["Jwt:Key"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(_config["Jwt:Issuer"],
_config["Jwt:Issuer"],
claims,
expires: DateTime.Now.AddMinutes(30),
signingCredentials: creds);
return new JwtSecurityTokenHandler().WriteToken(token);
I altered one of my existing services (which I'll refer to as TestService
) by adding AddAuthentication
in the StartUp
. 我通过在StartUp
添加AddAuthentication
来改变我现有的一个服务(我将其称为TestService
)。 The endpoint for this call has the [HttpPost(), Authorize]
attributes. 此调用的端点具有[HttpPost(), Authorize]
属性。 I deployed these changes to my Test server. 我将这些更改部署到了我的测试服务器。
When I call TestService/api/updateSomething
I am returned a 401 Unauthorized
as expected. 当我调用TestService/api/updateSomething
我按预期返回401 Unauthorized
。 On my local machine, I create a new token via ProvisioningService/api/buildToken
and add the token from the response to my TestService
call via the Authorization header. 在我的本地计算机上,我通过ProvisioningService/api/buildToken
创建一个新令牌,并通过Authorization标头将响应中的令牌添加到我的TestService
调用中。 To my surprise...this worked. 令我惊讶的是......这很有效。
Why does my TestService
(on a completely different server) view a token created on my local machine as a valid token and allow the call to work? 为什么我的TestService
(在完全不同的服务器上)将在本地计算机上创建的令牌视为有效令牌并允许该调用工作? I was expecting this to return the same 401
because I assumed this token was going to be invalid on my Test server. 我原以为这会返回相同的401
因为我认为这个令牌在我的测试服务器上无效。 My inexperience with JWT is probably showing....but I am not understanding how these tokens are being stored/shared between servers. 我对JWT的经验不足可能会显示....但我不明白这些令牌是如何在服务器之间存储/共享的。
I failed to understand that the token itself has what it needs to authorize itself after it is decrypted. 我无法理解令牌本身具有解密后需要授权的内容。 This question is no longer needed. 不再需要这个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.