问题
There are lots of discussion and favor that token based architecture of authentication of MEAN application is secure. But I have question that is it really pass user-name and password for authorization and authentication as payload in JSON Web Token, and if we are not passing secured information in payload then how JSON Web Token authenticate user without user-name / password in server side.
I read lots of architecture stuff but they can't explain that what logic they used to authenticate token without using user-name/password.
Is it valid to store authentication token in cookies rather than web storage?
Yes I am knowing that they used private key and public key for verification but it's not enough to authenticate. To authenticate specific user it requires some key values like user-name/password or any key access which required to identify particular user.
回答1:
No, it is not secure to send a password in a JWT. This is because the JWT claims are simply encoded and can easily be decoded by anyone that sees them. It is not secure to store any sensitive information in a JWT that returned to a user.
You seem to misunderstand the JWT's roll in authentication. Generally, JWT authentication is going to replace a stateful session system. In many normal flows, a user authenticates using their username and password and the server sets a session cookie for the user. When the user returns to the website, their browser sends the session cookie along with them. The server sees a request coming in with a session cookie and looks up the relevant session data from some database.
In many JWT-based systems, a user authenticates with their username and password as usual, but instead of the authorization server setting a session cookie that references something in the database, it will set a cookie that contains a JWT of the user's session data. This could include their username, any roles they have, or any other data necessary.
Now, when the user returns to the website and their browser presents this new JWT cookie, the server only needs to verify that it was signed by the authorization server in order to trust the claims inside. Avoiding the database lookup for session information has many benefits, not the least of which is speed.
来源:https://stackoverflow.com/questions/36622366/how-to-pass-secure-data-like-user-name-password-in-json-web-token