Memor.の 2014-11-04 15:41 采纳率: 100%
浏览 5534
已采纳

如何让Jwt(JSON Web Token)自动延长过期?

我想在新的 REST API 中实现基于 jwt 的身份验证。但是过期是在令牌中设置的,是否可以自动延长它? 我不希望用户需要每隔 x 分钟登录一次,如果他们在那段时间积极使用该应用程序的话。这将是一个巨大的用户体验失败。

但是延长到期时间会产生一个新的令牌(旧的令牌在到期之前仍然有效)。在每个请求之后生成一个新的令牌对我来说听起来很愚蠢。当多个令牌同时有效时,听起来像是一个安全问题。当然,我可以使用黑名单使旧的使用者无效,但是我需要存储令牌。

我发现了 Auth0可以解决这个问题,他们不仅使用 JWT 令牌,还使用了一个刷新令牌: https://docs.Auth0.com/refresh-token

但是,为了实现这一点(没有 Auth0) ,我需要存储刷新令牌并维护它们的过期。那么真正的好处是什么呢? 为什么不只有一个令牌(不是 JWT) ,并在服务器上保持过期?

是否有其他选择? 使用 JWT 是否不适合此场景?

  • 写回答

9条回答 默认 最新

  • hurriedly% 2014-11-09 23:45
    关注

    I work at Auth0 and I was involved in the design of the refresh token feature.

    It all depends on the type of application and here is our recommended approach.

    Web applications

    A good pattern is to refresh the token before it expires.

    Set the token expiration to one week and refresh the token every time the user open the web application and every one hour. If a user doesn't open the application for more than a week, they will have to login again and this is acceptable web application UX.

    To refresh the token your API needs a new endpoint that receives a valid, not expired JWT and returns the same signed JWT with the new expiration field. Then the web application will store the token somewhere.

    Mobile/Native applications

    Most native applications do login once and only once.

    The idea is that the refresh token never expires and it can be exchanged always for a valid JWT.

    The problem with a token that never expires is that never means never. What do you do if you lose your phone? So, it needs to be identifiable by the user somehow and the application needs to provide a way to revoke access. We decided to use the device's name, e.g. "maryo's iPad". Then the user can go to the application and revoke access to "maryo's iPad".

    Another approach is to revoke the refresh token on specific events. An interesting event is changing the password.

    We believe that JWT is not useful for these use cases so we use a random generated string and we store it on our side.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(8条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题