Thinking of jwt

Others 2019-12-12 12:56:20 views: null

What is jwt

jwt problem

jwt of practice

https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html

OpenID+JWTs

As we mentioned in the JWT using OpenID Connect Before. Provider issues an identity token to the client. The identity token contains information about the identity of users and providers of authentication. JWT is the identity token private key signature token, the use of the provider.

OpenID Connect spent a great effort to improve the security attributes identity token. For example, the agreement requires the use of "exp", "iss" and "aud" statement. In addition, the token contains a nonce to prevent replay attacks. Because of these requirements, misuse of stolen identity token becomes very difficult, if not impossible.

JWTs as the OAuth 2.0 access token

OAuth 2.0 JWT access token is another good use cases. Such access token allows the client application to access a protected resource, such as API. OAuth 2.0 access tokens come in two forms: self-contained reference token and token.

  • Reference point to the server-side metadata token stored by the authorization server. It features similar to reference a token identifier, like a traditional session identifier.
  • Since the token contained in the form of the JWT. It comprises a payload all metadata. To protect your data, the publisher signed using the private key token.

The traditional carrier OAuth 2.0 token is a token. If a person is hurt, it can be anyone with its unlimited use. Destroyed by reference a token withdrawal of the authorization server. For Token self-contained, revocation is much more complex.

Therefore, it is strongly recommended to shorten the access token life cycle as possible. Minutes or hours token lifetime is very common. Not recommended for use day or month of life. If possible, use short-term access token and refresh token should be combined in order to improve security.

Further, the content of the new specification to handle bearer token property by introducing proof of possession mechanism.

As JWTs session object

OpenID Connect and OAuth 2.0 protocol such as actively trying to solve JWTs weaknesses. Unfortunately, we also observed that many will be incorporated into the application JWTs its architecture, without taking into account these precautions.

A specific example is the use of a storage authorization JWTs application state on the client. This supports the use of non-state back-end, which makes it very easy to deploy.

However, such a client token bearing the token. Without proper short-lived or revocation mechanism so that this situation is very fragile.

token types:

https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/

session with jwt common use:

http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

Stateless JWT: A JWT token that contains the session data, encoded directly into the token.
Stateful JWT: A JWT token that contains just a reference or ID for the session. The session data is stored server-side.
Session token/cookie: A standard (optionally signed) session ID, like web frameworks have been using for a long time. The session data is stored server-side.

https://cheatsheets.pragmaticwebsecurity.com/cheatsheets/jwt.pdf

Guess you like

Origin www.cnblogs.com/victor2302/p/11776195.html
jwt
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com