JWT Keycloak 令牌中是否有任何部分可以用作令牌本身的唯一 ID?
[英]Is there any part of JWT Keycloak token which can be used as a unique ID of the token itself?
问题描述
Edit
编辑
My question was before about Keycloak token only, but the solution I found is more general, it is applicable for JWT regardless of Keycloak.我之前的问题是关于 Keycloak 令牌,但我发现的解决方案更通用,它适用于 JWT,无论 Keycloak 是什么。
Background / Motivation背景/动机
Based on the JWT Keycloak token, I fetch some additional information of the user (the sub field) from my database.基于 JWT Keycloak 令牌,我从我的数据库中获取了用户的一些附加信息( sub字段)。 I'd like to cache the information and I am looking for an appropriate key to the cache.我想缓存这些信息,我正在寻找一个合适的缓存键。
I do not want to use the sub field because I want the cache entry to invalidate when the Keycloak token changes (= when a new token is generated for the same user).我不想使用sub字段,因为我希望缓存条目在 Keycloak 令牌更改时失效(= 为同一用户生成新令牌时)。
I can easily use the whole Keycloak token or its third part (the signature) as the key.我可以轻松地使用整个 Keycloak 令牌或其第三部分(签名)作为密钥。 However, it is quite a long string.但是,它是一个相当长的字符串。
Question问题
Is there any field in the JWT Keycloak token, which may be used as a unique ID of this particular token? JWT Keycloak 令牌中是否有任何字段可以用作此特定令牌的唯一 ID? Which is guaranteed to be always present, and always change for a new instance of the token.保证始终存在,并且始终针对令牌的新实例进行更改。
Does the sid field work like this? sid字段是这样工作的吗? At least it seems to be different from sub .至少它似乎与sub不同。
There are several UUIDs in the Keycloak token and I am confused by the documentation. Keycloak 令牌中有几个 UUID,我对文档感到困惑。 I found only this clearly arranged table explaining the meaning of the Keycloak token fields.我发现只有这张清晰排列的表格解释了 Keycloak 令牌字段的含义。
2 个解决方案
解决方案1
1 2021-12-17 03:58:09
Based on your use case, two fields I can think of using is id / email id and expiration.根据您的用例,我可以想到使用的两个字段是id / email id和过期。
Id / email id is unique and always present, so that serves your purpose.
Id / email id 是唯一的并且始终存在,因此可以满足您的目的。Expiration alone cannot be used as 2 tokens generated for 2 users at same time may have same expiration.
不能单独使用过期时间,因为同时为 2 个用户生成的 2 个令牌可能具有相同的过期时间。 Then why am I asking to use?那我为什么要使用? If your cache does not support TTL, then there might be stale entries unnecessarily occupying your cache.如果您的缓存不支持 TTL,那么可能会有一些过时的条目不必要地占用您的缓存。 So if you keep your key as "expiration.id", then you can maybe run a side job every 24 hours or so to delete stale entries from cache, based on first part ie expiration.因此,如果您将密钥保留为“expiration.id”,那么您可以每 24 小时左右运行一次辅助作业,以根据第一部分(即过期)从缓存中删除过时的条目。
Here is sample Keycloak token object in my Java app:这是我的 Java 应用程序中的示例 Keycloak 令牌 object:
解决方案2
0 已采纳 2022-03-29 00:58:24
Finally I found the detailed documentation of JWT: https://datatracker.ietf.org/doc/html/rfc7519最后我找到了JWT的详细文档: https://datatracker.ietf.org/doc/html/rfc7519
The field is not keycloak specific, it is defined in the JWT standard.该字段不是特定于 keycloak 的,它在 JWT 标准中定义。
There is specified the field jti as:将字段jti指定为:
The
jti(JWT ID) claim provides a unique identifier for the JWT.jti(JWT ID)声明为 JWT 提供唯一标识符。 The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object;jticlaim can be used to prevent the JWT from being replayed.jti声明可用于防止重播 JWT。 Thejtivalue is a case-sensitive string.jti值是区分大小写的字符串。 Use of this claim is OPTIONAL.
The field exactly matches my requirement to "provide a unique ID of this particular token".该字段完全符合我“提供此特定令牌的唯一 ID”的要求。 And it seems that our keycloak server assigns the field a UUID.我们的 keycloak 服务器似乎为该字段分配了一个 UUID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.