问题
I have used ASP.NET Identity for a while now and have been looking at JWT (JSON Web Token) as they seem really interesting and easy to use.
JWT.IO has a great example/tool of debugging the token.
However, I'm not entirely sure how JWT's work on the back end, would you still use Identity?
Also how do the tokens (Bearer vs JWT) compare? Which is more secure?
回答1:
JWTs are like a ticket to an attraction. It contains all the security information a server needs embedded in it. Once the server has handed it out the client just needs to present it whenever it asks for something and the server responds accordingly if it's valid.
The contents are entirely viewable, but they're signed using a secret key by the server so it can tell if they've been tampered with.
Since everything is in the JWT, and the client can present it to whomever they want, you can use it for Single Sign On as long as the different servers share the same secret so they can verify the signature.
Like a ticket, a JWT has an expiry date. As long as it hasn't expired, it's valid. This means you can't revoke them before that. For this reason JWTs often have short expiry times (30 mins or so) and the client is also issued a refresh token in order to renew the JWT quickly when it expires.
JWTs
- Not stored on the server
- Great for SSO
- Can't be revoked prematurely
Bearer tokens are like a guest list. The server puts the client on the guest list, then provides a pass code to identify it when it wants something. When the client provides the code, the server looks it up on the list and checks that it's allowed to do whatever it's asking.
The server has to have the list available to it so if you want to share access across servers, they either all need to be able to access the list (database), or talk to some authority that has it (auth server).
On the other hand, since they have the guest list, they can take you off it whenever they want.
Bearer Tokens
- Stored on the server
- Can be revoked at any time
- Requires a central authority or shared database to share the token across servers
Bit of Tech has some excellent tutorials on implementing JWTs with Web Api if you want to go down that route.
http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
回答2:
Unfortunately The previous answer could be misleading: Bearer Tokens are the predominant type of access token used with OAuth 2.0. A Bearer Token is an opaque string, not intended to have any meaning to clients using it. Some servers will issue tokens that are a short string of hexadecimal characters, while others may use structured tokens such as JSON Web Tokens. (https://oauth.net/2/bearer-tokens/)
来源:https://stackoverflow.com/questions/42086149/asp-net-identity-bearer-token-vs-jwt-pros-and-cons