在没有OAuth2的情况下刷新JWT
[英]Refresh JWT without OAuth2
问题描述
I 'm using JWT in my spring boot application and spring security for authentication. 
我在Spring Boot应用程序和Spring Security中使用JWT进行身份验证。 The problem is that I can't refresh JWT token after the jwt.expiration time declared in file application.properties so the users gets logged out after 30min . 问题是我在文件application.properties中声明的jwt.expiration时间之后无法刷新JWT令牌,因此用户在30分钟后退出。 Do I need OAuth2 implementation or is there any other quick-and-dirty way to solve this? 我需要OAuth2实施还是有其他快捷方法解决此问题?
1 个解决方案
解决方案1
1 已采纳 2019-09-12 18:10:19
This is a pretty broad question, but I'll try and point you in the right direction. 这是一个相当广泛的问题,但我会尽力为您指明正确的方向。
Refreshing tokens is the business of an authorization server. 刷新令牌是授权服务器的工作。 So, your application would need to talk with one of those in order to renew the token. 因此,您的应用程序将需要与其中之一进行对话以更新令牌。
I'd invite you to read up on OAuth 2.0 to understand how renewals happen. 我邀请您阅读OAuth 2.0,以了解续订的过程。 Specifically, they require a refresh_token grant from that authorization server. 具体来说,它们需要该授权服务器的refresh_token授予 。
Based on your description, you are likely an OAuth 2.0 Client application, in which case you'd be most interested in Spring Security's OAuth 2.0 Login and OAuth 2.0 Client support. 根据您的描述,您很可能是OAuth 2.0客户端应用程序,在这种情况下,您对Spring Security的OAuth 2.0登录和OAuth 2.0客户端支持最感兴趣。
Also, I know you didn't ask this, but I'd also discourage you from seeking out "quick-and-dirty" solutions. 另外,我知道您没有提出这个问题,但是我也劝阻您不要寻求“快速而肮脏的”解决方案。 Take the time to understand the security landscape, and it will pay you dividends later. 花些时间了解安全状况,它会在以后为您带来好处。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.