服务器如何在基于令牌的授权中将JWT发送给客户端?

huangapple go评论69阅读模式
英文:

How server sends the JWT to client in Token Based Authorization?

问题

我正在学习Java和Spring中的身份验证,以及会话(session)和令牌(token)身份验证之间的区别。

我知道在基于会话的身份验证中,用户将用户名/密码发送到服务器。它可以使用HTML表单或基本身份验证来发送凭据。之后,服务器创建一个会话并在cookie头中发送会话ID,就像这样:set-cookie: sessionid,当用户发起另一个请求时,它将在cookie头中使用会话ID,就像这样:cookie: sessionid。服务器将在cookie中存储的会话ID与存储在内存中的会话信息进行比较,以验证用户身份,并发送带有相应状态的响应。

我不太清楚令牌式身份验证中发生了什么。用户将以与第一种情况相同的方式将用户名/密码发送到服务器:HTML表单、基本身份验证等。服务器创建JWT并将其通常放在用户浏览器中的localStorage中。但我不明白的是服务器如何将JWT发送给客户端?它是否会将JWT放在类似这样的头部:set-authorization: jwt?放置JWT的头部是什么?之后,当客户端发起新请求时,JWT将位于授权头部,就像这样:Authorization: Bearer jwt。所以我不明白JWT是如何从服务器发送到浏览器的。对任何反馈我都会感激!谢谢!

英文:

I'm learning about authentication in Java and Spring and about difference between session and token based authentication.

I know that in session based authentication the user sends the username/password to server. It could send the credentials using a html form or basic authentication. After that the server create a session and send the session id in a cookie header like this set-cookie: sessionid, and when the user make another request it will use the session id in a cookie header like this cookie: sessionid. And the server compare the session id stored on the cookie against the session information stored in the memory to verify user’s identity and sends response with the corresponding state.

I'm not sure what's happen in the token based authentication. The user will send the username/password to server in the same way like in the first case: html form, basic authentication, etc. The server creates JWT and send the JWT to the user browser usually in the localstorage. But what I don't understand is how the server sends the JWT to client? Does it send the JWT in a Header like this set-authorization: jwt? What is the name of the header where the jwt is put? And after that when the client does a new request the JWT will be in an authorization header like this Authorization: Bearer jwt. So I don't understand how the JWT is sent from the server to the browser. Any feedback will be apreciated! Thank you!

答案1

得分: 1

关于基本身份验证,你所说的部分在某种程度上是正确的,但不是完全正确的。在基本身份验证中,客户端几乎总是将用户名和密码发送到服务器,服务器通过这些信息对用户进行身份验证(这意味着客户端在每个请求中都发送这些信息)。关于cookie的某些内容并非在基本身份验证中是强制的。客户端可以将用户名和密码等信息存储在存储中,并在每个请求中将它们发送到服务器。

那么JWT又是什么,为什么它更加可靠?

在JWT中,客户端使用认证路径从服务器获取令牌,因此服务器为客户端提供了一个类似于/user/authenticate的API路径,通常由其他安全机制(也可以是基本身份验证)保护,因此客户端将用户的用户名和密码发送到此路径的标头中,它将在响应正文中获得JWT令牌。然后,在向其他资源(例如/products)发送请求时,客户端会在这些请求的标头中发送该令牌,如下所示:

authorization: Bearer jwt

在JWT和其他基于令牌的身份验证机制中,客户端不应该在某处存储用户的用户名和密码。他们可以(或者更应该)在存储中保存从服务器收到的令牌,因此在每个请求中发送的是令牌,而不是用户的用户名和密码,因此该机制更加安全。

英文:

What you said about Basic Authentication is somehow correct but not completely. In basic Authentication client almost always send the username and password to the server and server authenticate user by those information(it means client send those information in each request). something you said about coockie is not mandatory in basic authentication. client can store information like username and password in storage and send them on each request to server.

What about JWT and why is this much more reliable?

In JWT client use an authentication path to get the token from the server, so server provides client with an API like /user/authenticate and this path is usually secured by some other security mechanism(it can be Basic Authentication too) so client send username and password of the user to this path in header and it will get JWT token in Response Body, Then after for sending request to other resources(for instance /products) client send that token in the header of those request like this:

authorization: Bearer jwt

In JWT and other token based authentication mechanisms client should not save the username and password of the user somewhere in their storage. Something they could (or rather should) save in their storage is the token that they have received from the server, therefore something that is send in each request is the token and not username and password of the user as a result this mechanism is more secure.

huangapple
  • 本文由 发表于 2020年10月14日 17:06:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/64350012.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定