我正在学习一些关于授权的知识,比如基本、摘要、OAuth2.0、jwt和持名令牌。
现在我有一个问题。
您知道jwt在OAuth2.0标准中被用作Access_Token。JWTs出现在RFC 7519,而持名令牌出现在RFC 6750。
例如,持票人:
Authorization: Bearer <token>
我曾经通过AJAX发送令牌到服务器或添加令牌到url的查询字符串。我知道还可以通过将令牌添加到请求标头来发送它。这是否意味着令牌应该添加到授权承载头?
jwt和不记名令牌之间是什么关系?
因为你提到你在你的url查询参数发送令牌,这可能是你感兴趣的。我认为把它们作为url参数发送,就像你和其他一些提到的答案可能会导致一些安全问题。你应该总是在你的HTTP请求中使用Authentication头,就像下面RFC文档中推荐的那样。:)
使用访问令牌
AFAIK bearer is just a more generic term for tokens, because in the following RFC7523 it's also often referred to JWT Bearer Token. However it is true that in contrast to the "normal" Bearer Token the JWT also holds information (about the issuer, creation date, ...) in, as the name implies, when decoded the JSON Format. Note that this parameters can be decoded by anyone, so this shouldn't include sensitive data, unless encrypted. JWT just ensures that the data sent inside the token, isn't manipulated because of the signature which consists of HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret), with the secret either a passphrase or public/private key pair. In the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is. The size of the payload of a JWT should not exceed approx. 8kB because some browser won't accept tokens of this size. For further information about JWT you can either look up JWT.io or for more detailed information RFC 7523 JWT for oAuth
更新:
我从rfc收集到的其他一些信息证实了我的假设,非常有趣的东西:
Clients using the URI Query Parameter method SHOULD also send a
Cache-Control header containing the "no-store" option. Server
success (2XX status) responses to these requests SHOULD contain a
Cache-Control header with the "private" option.
Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body.
Resource servers MAY support this method. https://www.rfc-editor.org/rfc/rfc6750#section-2.3
Bearer Token
A security token with the property that any party in possession of
the token (a "bearer") can use the token in any way that any other
party in possession of it can. Using a bearer token does not
require a bearer to prove possession of cryptographic key material
(proof-of-possession). https://www.rfc-editor.org/rfc/rfc6750#section-1.2