Cookies 中的 JWT - 我需要刷新令牌吗?
[英]JWT in Cookies - do I need a refresh token?
问题描述
I'm implementing security for my React SPA using Spring Security on the backend.
我在后端使用 Spring Security 为我的 React SPA 实现安全性。 After a lot of reading, I opted for the following approach:经过大量阅读,我选择了以下方法:
- HTTPS everywhere HTTPS无处不在
- POST /login takes credentials returns JWT_TOKEN & XSRF_TOKEN in cookie form. POST /login 获取凭据以 cookie 形式返回 JWT_TOKEN 和 XSRF_TOKEN。 I build the JWT_TOKEN myself whereas Spring Security handles the XSRF_TOKEN.我自己构建 JWT_TOKEN,而 Spring Security 处理 XSRF_TOKEN。 Both cookies are Secured and SameSite=Strict. cookies 都是安全的并且 SameSite=Strict。 The JWT token is HttpOnly. JWT 令牌是 HttpOnly。
- Subsequent API calls require the X-XSRF-TOKEN header. This is read from the aforementionned cookie.随后的 API 调用需要 X-XSRF-TOKEN header。这是从上述 cookie 中读取的。 Both are sent and Spring Security compares them.两者都已发送,Spring 安全人员将它们进行比较。 JWT is automatically sent and checked in a Filter. JWT 自动发送并在过滤器中检查。
- Every time a XSRF token is used, Spring Security generates a new one to prevent session-fixation attacks每次使用 XSRF 令牌时,Spring Security 都会生成一个新令牌以防止会话固定攻击
- XSS protections are applied by Spring Security XSS 保护由 Spring 安全应用
So now I'm wondering about refresh tokens.所以现在我想知道刷新令牌。 I'm reading a lot of contradictory info out there.我正在阅读很多相互矛盾的信息。 Do I need them with this setup?此设置需要它们吗? If so how best to handle this?如果是这样,如何最好地处理这个问题?
Many Thanks非常感谢
1 个解决方案
解决方案1
0 2023-01-30 01:50:26
In general, as its name says, the refresh token changes from one token to another.通常,正如其名称所示,刷新令牌从一个令牌更改为另一个令牌。 Typically they are used in OAuth protocol-based authentication.通常它们用于基于 OAuth 协议的身份验证。 They are useful when an access token has expired, but the user's session is still valid.它们在访问令牌过期但用户的 session 仍然有效时很有用。
First, JWTs are a great choice for access tokens.首先,JWT 是访问令牌的绝佳选择。 They have claims that match the access tokens requirements, such as: exp , iat , jti , sub , etc. But, when using a cookie-based authentication there is no need for access tokens and possibly no need for JWT.他们有符合访问令牌要求的声明,例如: exp 、 iat 、 jti 、 sub等。但是,当使用基于 cookie 的身份验证时,不需要访问令牌,也可能不需要 JWT。
As you said, your JWT_TOKEN is being set as an HttpOnly cookie, which means that only the server has access to it.正如您所说,您的JWT_TOKEN被设置为HttpOnly cookie,这意味着只有服务器可以访问它。 JWT is useful for sharing the initial state between the client and server, and vice-versa. JWT 对于在客户端和服务器之间共享初始 state 很有用,反之亦然。 If your server is just taking it to look up the database, you don't need a JWT, you are just using a session concept, and keeping session data on a JWT may not be a good practice.如果你的服务器只是拿它去查数据库,你不需要一个JWT,你只是在使用一个session的概念,把session的数据放在一个JWT上可能不是一个好的做法。
Second, if your authenticated cookie data will live at /login and die at /logout , there is no need for refresh tokens.其次,如果您经过身份验证的 cookie 数据将存在于/login并死于/logout ,则不需要刷新令牌。 Refresh tokens are an exchange key for short-life access tokens.刷新令牌是短期访问令牌的交换密钥。 Instead, your cookies keep the session live and don't need to be exchanged by something else.相反,您的 cookies 使 session 保持活动状态,不需要用其他东西进行交换。
For example, if the user uses the /login route to exchange your username and password for one short life access_token .例如,如果用户使用/login路由将您的username和password交换为一个短暂的access_token 。 He may need the refresh_token to get a new access_token without needing to send his username and password again.他可能需要refresh_token来获取新的access_token ,而无需再次发送他的username和password 。
If you are using the OAuth protocol or similar, refresh tokens are essential to provide a more seamless experience for your users and avoid the inconvenience of repeatedly having to re-enter their credentials.如果您使用 OAuth 协议或类似协议,刷新令牌对于为您的用户提供更无缝的体验并避免重复重新输入其凭据带来的不便至关重要。 But even on OAuth, they are not mandatory.但即使在 OAuth 上,它们也不是强制性的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.