我想了解基于令牌的身份验证意味着什么。我在网上搜索了一下,但找不到任何可以理解的东西。
当前回答
我认为这里已经解释得很好了——只是引用了这篇长文的关键句子:
a背后的一般概念 基于令牌的认证系统是 简单。允许用户输入他们的 用户名和密码,以便 获得一个令牌,允许他们这样做 获取一个特定的资源-没有 使用用户名和密码。 一旦获得了他们的令牌, 用户可以提供令牌 提供对特定资源的访问 在一段时间内,对着遥控器 网站。
换句话说:为身份验证添加一个间接级别——用户不必为每个受保护的资源使用用户名和密码进行身份验证,而是以这种方式进行一次身份验证(在有限持续时间的会话内),获得一个有时间限制的令牌作为回报,并在会话期间使用该令牌进行进一步的身份验证。
好处有很多——例如,用户一旦获得令牌,就可以将令牌传递给其他一些自动化系统,他们愿意在有限的时间和有限的资源集内信任这个系统,但不愿意信任他们的用户名和密码(即,他们被允许访问的每一个资源,永远或至少直到他们更改密码)。
如果还有什么不清楚的地方,请编辑你的问题,澄清你不是100%清楚的东西,我相信我们可以进一步帮助你。
其他回答
它只是哈希与数据库中的用户或其他方式相关联。该令牌可用于身份验证,然后授权用户访问应用程序的相关内容。要在客户端检索此令牌,需要登录。第一次登录后,你需要保存检索到的令牌,而不是任何其他数据,如会话,会话id,因为这里的一切都是令牌,以访问应用程序的其他资源。
令牌用于确保用户的真实性。
更新: 目前,我们有更先进的基于令牌的技术,称为JWT (Json Web令牌)。这种技术有助于在多个系统中使用相同的令牌,我们称之为单点登录。
基本上,基于JSON的令牌包含用户详细信息和令牌到期详细信息。因此,如果令牌无效或过期,可以根据详细信息使用该信息进一步验证或拒绝请求。
基于令牌的(安全/身份验证)
This means that in order for us to prove that we’ve access we first have to receive the token. In a real-life scenario, the token could be an access card to the building, it could be the key to the lock to your house. In order for you to retrieve a key card for your office or the key to your home, you first need to prove who you are and that you in fact do have access to that token. It could be something as simple as showing someone your ID or giving them a secret password. So imagine I need to get access to my office. I go down to the security office, I show them my ID, and they give me this token, which lets me into the building. Now I have unrestricted access to do whatever I want inside the building, as long as I have my token with me.
基于令牌的安全性有什么好处?
回想一下不安全API,在这种情况下,我们必须为我们想做的所有事情提供密码。
Imagine that every time we enter a door in our office, we have to give everyone sitting next to the door our password. Now that would be pretty bad because that means that anyone inside our office could take our password and impersonate us, and that’s pretty bad. Instead, what we do is that we retrieve the token, of course together with the password, but we retrieve that from one person. And then we can use this token wherever we want inside the building. Of course, if we lose the token, we have the same problem as if someone else knew our password, but that leads us to things like how do we make sure that if we lose the token, we can revoke the access, and maybe the token shouldn’t live for longer than 24 hours, so the next day that we come to the office, we need to show our ID again. But still, there’s just one person that we show the ID to, and that’s the security guard sitting where we retrieve the tokens.
从Auth0.com
Token-Based Authentication, relies on a signed token that is sent to the server on each request. What are the benefits of using a token-based approach? Cross-domain / CORS: cookies + CORS don't play well across different domains. A token-based approach allows you to make AJAX calls to any server, on any domain because you use an HTTP header to transmit the user information. Stateless (a.k.a. Server side scalability): there is no need to keep a session store, the token is a self-contained entity that conveys all the user information. The rest of the state lives in cookies or local storage on the client side. CDN: you can serve all the assets of your app from a CDN (e.g. javascript, HTML, images, etc.), and your server side is just the API. Decoupling: you are not tied to any particular authentication scheme. The token might be generated anywhere, hence your API can be called from anywhere with a single way of authenticating those calls. Mobile ready: when you start working on a native platform (iOS, Android, Windows 8, etc.) cookies are not ideal when consuming a token-based approach simplifies this a lot. CSRF: since you are not relying on cookies, you don't need to protect against cross site requests (e.g. it would not be possible to sib your site, generate a POST request and re-use the existing authentication cookie because there will be none). Performance: we are not presenting any hard perf benchmarks here, but a network roundtrip (e.g. finding a session on database) is likely to take more time than calculating an HMACSHA256 to validate a token and parsing its contents.
A token is a piece of data created by server, and contains information to identify a particular user and token validity. The token will contain the user's information, as well as a special token code that user can pass to the server with every method that supports authentication, instead of passing a username and password directly. Token-based authentication is a security technique that authenticates the users who attempt to log in to a server, a network, or some other secure system, using a security token provided by the server. An authentication is successful if a user can prove to a server that he or she is a valid user by passing a security token. The service validates the security token and processes the user request. After the token is validated by the service, it is used to establish security context for the client, so the service can make authorization decisions or audit activity for successive user requests.
资料来源(网页档案)
我认为这里已经解释得很好了——只是引用了这篇长文的关键句子:
a背后的一般概念 基于令牌的认证系统是 简单。允许用户输入他们的 用户名和密码,以便 获得一个令牌,允许他们这样做 获取一个特定的资源-没有 使用用户名和密码。 一旦获得了他们的令牌, 用户可以提供令牌 提供对特定资源的访问 在一段时间内,对着遥控器 网站。
换句话说:为身份验证添加一个间接级别——用户不必为每个受保护的资源使用用户名和密码进行身份验证,而是以这种方式进行一次身份验证(在有限持续时间的会话内),获得一个有时间限制的令牌作为回报,并在会话期间使用该令牌进行进一步的身份验证。
好处有很多——例如,用户一旦获得令牌,就可以将令牌传递给其他一些自动化系统,他们愿意在有限的时间和有限的资源集内信任这个系统,但不愿意信任他们的用户名和密码(即,他们被允许访问的每一个资源,永远或至少直到他们更改密码)。
如果还有什么不清楚的地方,请编辑你的问题,澄清你不是100%清楚的东西,我相信我们可以进一步帮助你。
推荐文章
- cer、pvk和pfx文件有什么区别?
- Django设置“SECRET_KEY”的目的是什么?
- 如何从命令行重置Jenkins安全设置?
- 如何通过SFTP从服务器检索文件?
- 密码身份验证暂时被禁用,作为停电的一部分。请改用个人访问令牌
- SecureString在c#应用中实用吗?
- “刷新令牌”的目的是什么?
- 摘要认证和基本认证的区别是什么?
- 浏览器会通过https缓存内容吗
- 什么是端点?
- 配置系统初始化失败
- 在git存储库中处理密码的最佳实践是什么?
- 支付处理器-如果我想在我的网站上接受信用卡,我需要知道什么?
- 在Subversion中,我可以是我的登录名以外的用户吗?
- 如何加密和解密一个PHP字符串?