问题
I'm wondering if it would be best practice to use a clients fingerprint as JWT-secret for encoding. However I couldn't find anything in the WWW concerning this question, but so far it makes sense to me to do it.
I'm thinking about generating a fingerprint client-side with JavaScript and sent it to the API with every call. The API should then use the fingerprint with a hard coded secret together for encoding and decoding the token.
Isn't this a good method to prevent CSRF? Or am I missing out on something else? Or in general: What is the best way to prevent CSRF with JWT? (I'm using PHP and VueJS, is there maybe a case related solution?)
回答1:
I have never heard about that.
A token is signed using a private key or a shared secret. The use of a fingerprint means you can correlate one (or more) fingers to a private key then compute a token.
However, this looks very similar to the Webauthn protocol I am working with. When using Android devices, the browser can interact with the fingerprint/screenlock to authenticate the user. The data sent by the device is a JWT that can be verified using a Google API (see Android SafetyNet).
来源:https://stackoverflow.com/questions/54377272/use-client-fingerprint-to-encode-jwt-token