Spring 引导中 JWT 的最佳实践是什么?
[英]what is the best practice for JWT in Spring Boot?
问题描述
I would like to start a project with Spring Boot and JWT, I saw some examples which save the refresh tokens in database, so my question is I have to insert refresh tokens into the database, or do I have another best practice way?
我想用 Spring Boot 和 JWT 开始一个项目,我看到了一些将刷新令牌保存在数据库中的示例,所以我的问题是我必须将刷新令牌插入数据库,还是我有另一种最佳实践方式? and if I have to insert into the database, for removing expired tokens I should make a job in Spring?如果我必须插入数据库,为了删除过期的令牌,我应该在 Spring 中工作?
Thanks a lot非常感谢
1 个解决方案
解决方案1
0 2021-11-30 21:56:48
In the case of refresh token flow, it's the client responsibility to securely manage the refresh token.在刷新令牌流的情况下,安全地管理刷新令牌是客户端的责任。 Once the access token expires, the client can use an earlier saved refresh token to get new access and an optional refresh token.访问令牌过期后,客户端可以使用之前保存的刷新令牌来获取新的访问权限和可选的刷新令牌。 As you asked about the approach for storing the refresh token on the server-side, I think storing it in the datastore for later validation purpose while issuing the new access token has one important advantage.当您询问在服务器端存储刷新令牌的方法时,我认为在发布新访问令牌时将其存储在数据存储中以供以后验证目的具有一个重要优势。 By doing so you can always restrict or revoke access to the services.通过这样做,您始终可以限制或撤销对服务的访问。 It will make sense in the case where the refresh token has a longer validation time and the server is not issuing a new refresh token with a new access token during refresh token flow.如果刷新令牌具有较长的验证时间并且服务器在刷新令牌流期间未使用新的访问令牌发出新的刷新令牌,这将是有意义的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.