堆栈内存溢出
  简体   繁体   English

使用 Spring 和 JWT 基于令牌的身份验证

[英]Token based authentication with Spring and JWT

 原文  2019-12-21 22:45:51       java/ spring/ authentication/ jwt

问题描述

I am using spring security and JWT to implement the authentication/authorization system for my mobile application and I have a couple of doubts regarding the actual design of the system.我正在使用 spring security 和 JWT 为我的移动应用程序实现身份验证/授权系统,我对系统的实际设计有一些疑问。 This is the authentication/authorization flow to allow users to access secured REST APIs:这是允许用户访问安全 REST API 的身份验证/授权流程:

  1. The mobile application send a request to the /auth/token endpoint, along with the username and password of the user using the basic authentication scheme.移动应用程序向 /auth/token 端点发送请求,以及使用基本身份验证方案的用户的用户名和密码。 The server authenticates the user returning an JWT access and refresh token.服务器对返回 JWT 访问和刷新令牌的用户进行身份验证。

  2. All the subsequent requests to the protected resources represented by the endpoints /api/** are performed passing the access token, which is validated and trusted by the server.对端点 /api/** 表示的受保护资源的所有后续请求都通过访问令牌执行,该令牌由服务器验证和信任。 The logic to validate and trust the token is performed by a token filter executed before the spring's BasicAuthenticationFilter.验证和信任令牌的逻辑由在 spring 的 BasicAuthenticationFilter 之前执行的令牌过滤器执行。

  3. If the token is no more valid the client send the refresh token (JWT) to the /auth/refresh endpoint, which validates this token and if this is trusted returns a new access token.如果令牌不再有效,客户端将刷新令牌 (JWT) 发送到 /auth/refresh 端点,该端点验证此令牌,如果受信任,则返回一个新的访问令牌。 The /auth/refresh endpoint is publicly exposed, but it relies on the fact that the JWT signature must be valid and trusted. /auth/refresh 端点是公开公开的,但它依赖于 JWT 签名必须有效且受信任的事实。

I am also thinking to use OAuth, but I wanted to know if this architectural design can be used or it can be exposed to vulnerabilities or problem with scalability.我也在考虑使用 OAuth,但我想知道这种架构设计是否可以使用,或者它是否会暴露于漏洞或可扩展性问题。 I am pretty new with the authentication system and I am trying to understand the correct way to implement one without having to use OAuth.我对身份验证系统很陌生,我正在尝试了解无需使用 OAuth 即可实现该系统的正确方法。

1 个解决方案

解决方案1
 0 已采纳  2019-12-21 23:59:43

What you describe is basically the same as the oauth's password flow except for the missing clientid and secret.除了缺少clientid和secret之外,您描述的内容与oauth的密码流程基本相同。 The accesstoken and especially the refresh token should NEVER be forwarded to the actual applicaton, whether it's an app or a web application. accesstoken 尤其是刷新令牌永远不应该转发到实际的应用程序,无论是应用程序还是 Web 应用程序。

Always think in back and front channel.始终在前后通道中思考。 Front channels are where your application is running.前端通道是您的应用程序运行的地方。 Untrusted environments for example mobile phones, client side rendered applications and so on.不受信任的环境,例如手机、客户端呈现的应用程序等。

These environments could be compromised.这些环境可能会受到损害。
Therefore your accesstoken should always be saved on server side.因此,您的访问令牌应始终保存在服务器端。

But: You don't necessarily need a jwt for described usecase.但是:对于描述的用例,您不一定需要 jwt。
If you just need to login, it would be safer to just have a session login mechanism with a csrf validations checks enabled.如果您只需要登录,那么使用启用 csrf 验证检查的会话登录机制会更安全。

However if you want to go with an JWT I would suggest you to go with OAUTH's code flow or to make sure your access token is stored on trusted server side.但是,如果您想使用 JWT,我建议您使用 OAUTH 的代码流或确保您的访问令牌存储在受信任的服务器端。

For example:例如:

  1. if the user signs in, he get's a session cookie in return.如果用户登录,他会得到一个会话 cookie 作为回报。
  2. After that he could also get an such called authCode for a special client (in this case your resourceservers or zuul proxy) and scopes like 'read_profile, make_payments'.之后,他还可以为特殊客户端(在本例中为您的资源服务器或 zuul 代理)以及“read_profile、make_payments”等范围获得一个名为 authCode 的此类。
  3. this authCode is now sent to your resourceserver or (zuul proxy sitting in front of your endpoints)此 authCode 现在发送到您的资源服务器或(位于端点前面的 zuul 代理)
  4. the resource server itself has it's own client credentials and now authenticates against the authentication server and get an accesstoken in exchange to an authcode.资源服务器本身拥有自己的客户端凭据,现在针对身份验证服务器进行身份验证并获取访问令牌以交换身份验证代码。

In any case your user would be authenticated session-based on both sides and your resourceserver holds the accesstoken for the user.在任何情况下,您的用户都将基于双方的会话进行身份验证,并且您的资源服务器持有用户的访问令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 混合身份验证 - 基于 Spring MVC session + 基于 JWT 令牌 - Hybrid authentication - Spring MVC session based + JWT token based Spring中基于令牌的身份验证 - Token Based authentication in Spring Spring 5 LDAP身份验证和JWT令牌作为响应 - Spring 5 LDAP Authentication and JWT Token as response 通过基于令牌的身份验证(JWT)使用Spring Websockets(sockJS + Stomp)的最佳方法 - Best approach to use Spring websockets (sockJS + Stomp) with token based authentication (JWT) 基于Spring Security Token的身份验证 - Spring Security Token based Authentication 基于Spring安全性的令牌认证 - Token authentication based with spring security JWT 在 Spring 引导中成功验证后未生成令牌 - JWT Token not generated after successful Authentication in Spring Boot adal4j:基于证书的身份验证错误:无效的JWT令牌 - adal4j : certificate based authentication error : invalid JWT token JWT 令牌过滤器不适用于基于移动 OTP 的登录的 Spring Security - JWT token filter not working for spring security for mobile OTP based login 如何使用Spring安全性对基于数据库的用户测试JWT身份验证? - How to test JWT authentication with database-based users with Spring security?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM