问题
What bearerOption.SaveToken property used for in the configuration of JwtAuthentication in aspnet core 2 ?
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(bearer =>
{
bearer.TokenValidationParameters.IssuerSigningKey = signingKey as SecurityKey;
bearer.TokenValidationParameters.ValidIssuer = Configuration["Jwt:Issuer"];
bearer.TokenValidationParameters.ValidAudience = Configuration["Jwt:Audience"];
bearer.TokenValidationParameters.ClockSkew = TimeSpan.Zero;
bearer.TokenValidationParameters.ValidateLifetime = true;
bearer.TokenValidationParameters.ValidateAudience = true;
bearer.TokenValidationParameters.ValidateIssuer = true;
bearer.TokenValidationParameters.ValidateIssuerSigningKey = true;
bearer.TokenValidationParameters.RequireExpirationTime = true;
bearer.TokenValidationParameters.RequireSignedTokens = true;
// ******
bearer.SaveToken = true;
// ******
});
回答1:
bearer.SaveToken is used to indicate whether the server must save the token server side to validate them. So even when a user has a properly signed and encrypted token, it'll not pass token validation if it is not generated by the server. This is a security reinforcement so even when the signing key is compromised, your application is not.
Downside:
- If your application is restarted, recycled your token is no longer valid.
- If you have a distributed application, this will not work for you.
回答2:
It is a property that defines whether the bearer token should be stored in the AuthenticationProperties after a successful authorization.
来源:https://stackoverflow.com/questions/49302473/what-is-beareroption-savetoken-property-used-for