我有一个使用JWT的无状态身份验证模型的新SPA。我经常被要求引用OAuth进行身份验证流程,比如要求我为每个请求发送“承载令牌”,而不是简单的令牌头,但我确实认为OAuth比简单的基于JWT的身份验证要复杂得多。主要的区别是什么,我应该让JWT身份验证像OAuth一样吗?
我还使用JWT作为我的XSRF- token来防止XSRF,但我被要求将它们分开?我应该把它们分开吗?这里的任何帮助都将受到感谢,并可能为社区提供一套指导方针。
当前回答
Jwt是一组用于发布和验证已签名访问令牌的严格指令。令牌包含应用程序用来限制用户访问的声明
OAuth2 on the other hand is not a protocol, its a delegated authorization framework. think very detailed guideline, for letting users and applications authorize specific permissions to other applications in both private and public settings. OpenID Connect which sits on top of OAUTH2 gives you Authentication and Authorization.it details how multiple different roles, users in your system, server side apps like an API, and clients such as websites or native mobile apps, can authenticate with each othe
注意oauth2可以与jwt一起工作,实现灵活,可扩展到不同的应用程序
其他回答
找出JWT和OAuth之间的主要区别
OAuth 2.0定义了一个协议,JWT定义了一个令牌格式。 OAuth既可以使用JWT作为令牌格式,也可以使用访问令牌作为承载令牌。 OpenID连接大多使用JWT作为令牌格式。
JWT tokens require, at most, a one-time communication between the resource server and the authorization server at runtime. The resource server needs to request the authorization server for the public key to decrypt the JWT tokens. This can be done at resource server startup. This can even be stored in the resource server in a properties file avoiding the query at all. OAuth2 solve a problem that user wants to access the data using client software like browser-based web apps, native mobile apps, or desktop apps. OAuth2 is just for authorization, client software can be authorized to access the resources on behalf of end-user using an access token. OAuth2 can be used with JWT tokens or access token which is a bearer token.
Firstly, we have to differentiate JWT and OAuth. Basically, JWT is a token format. OAuth is an authorization protocol that can use JWT as a token. OAuth uses server-side and client-side storage. If you want to do real logout you must go with OAuth2. Authentication with JWT token can not logout actually. Because you don't have an Authentication Server that keeps track of tokens. If you want to provide an API to 3rd party clients, you must use OAuth2 also. OAuth2 is very flexible. JWT implementation is very easy and does not take long to implement. If your application needs this sort of flexibility, you should go with OAuth2. But if you don't need this use-case scenario, implementing OAuth2 is a waste of time.
XSRF令牌总是在每个响应头中发送给客户端。CSRF令牌是否在JWT令牌中发送并不重要,因为CSRF令牌本身是安全的。因此,在JWT中发送CSRF令牌是不必要的。
Jwt是一组用于发布和验证已签名访问令牌的严格指令。令牌包含应用程序用来限制用户访问的声明
OAuth2 on the other hand is not a protocol, its a delegated authorization framework. think very detailed guideline, for letting users and applications authorize specific permissions to other applications in both private and public settings. OpenID Connect which sits on top of OAUTH2 gives you Authentication and Authorization.it details how multiple different roles, users in your system, server side apps like an API, and clients such as websites or native mobile apps, can authenticate with each othe
注意oauth2可以与jwt一起工作,实现灵活,可扩展到不同的应用程序
JWT是一个开放标准,它定义了一种紧凑且自包含的方式,用于在各方之间安全地传输信息。这是一种身份验证协议,我们允许编码的声明(令牌)在双方(客户端和服务器)之间传输,令牌在客户端识别时发出。对于每个后续请求,我们发送令牌。
而OAuth2是一个授权框架,它具有框架定义的一般过程和设置。JWT可以用作OAuth2中的一种机制。
你可以在这里阅读更多
OAuth还是JWT?使用哪一个,为什么?
