项目决策 - JWT 与经典会议
因此,我正在构建我的第一个项目,该项目将用于中高流量的生产中。
我决定使用 Keycloak 作为它的 IdP,NodeJS 作为后端,React 作为前端(两者都在 TypeScript 上)。对于后端,我想使用不记名令牌作为身份验证。
当我研究 Keycloak 时,我发现它使用 JWT 令牌来填充用户的数据。我还偶然发现一些人建议不要将 JWT 令牌与用户的数据一起使用。
老实说,这些观点对我来说似乎非常有效 - 但现在,在使用 Keycloak 时我有什么替代方案呢?好的,如果我使用自己的身份验证 &我想我可以使用经典会话的授权系统。但我不知道如何在 Keycloak 中实现它们。另外,对我来说,像 Keycloak 这样流行和大的东西会使用默认情况下会很糟糕的东西(JWT),这似乎很奇怪 - 所以我不确定我是否应该改变这个机制。
所以,我的问题是:
将 JWT 令牌与用户数据一起使用是否安全? (Keycloak 的默认值) 它看起来是这样的:
{
exp: 1645637327,
iat: 1645601327,
jti: 'removed',
iss: 'http://localhost:8080/auth/realms/supercatalog',
aud: 'account',
sub: 'removed',
typ: 'Bearer',
azp: 'restapi',
session_state: '2434f33d-73c4-4f38-8c80-e92356380ffa',
acr: '1',
'allowed-origins': [ '' ],
realm_access: {
roles: [
'app-elev',
'offline_access',
'uma_authorization',
'default-roles-supercatalog'
]
},
resource_access: { restapi: { roles: [Array] }, account: { roles: [Array] } },
scope: 'email profile',
sid: 'removed',
email_verified: false,
preferred_username: 'elev'
}
如果没有,在仍然使用 Keycloak 的同时,还有什么替代方案?
So, I'm building my first project that will be used in production with medium-high traffic.
I've decided to use Keycloak as an IdP for it, NodeJS as a backend, React to frontend (both on TypeScript). For the back-end I want to use a bearer-token as authentication.
As I've been studying about Keycloak, I've seen that it uses JWT tokens filled up with data from the user. I also stumbled across some people that advised AGAINST using JWT tokens with data from the user.
The points that were made seemed pretty valid to me to be honest - but now, what is my alternative to them when using Keycloak? Okay, if I used my own authentication & authorization systems I could just use classic sessions I guess. But I don't know how to implement them in Keycloak. Also, it seems strange to me that somethings as popular and big as Keycloak would use something that would be bad by default (JWT) - so I'm not really sure if I should even change this mechanism.
So, my questions are:
Am I safe to use JWT tokens with user's data? (default for Keycloak)
Here's how it looks:
{
exp: 1645637327,
iat: 1645601327,
jti: 'removed',
iss: 'http://localhost:8080/auth/realms/supercatalog',
aud: 'account',
sub: 'removed',
typ: 'Bearer',
azp: 'restapi',
session_state: '2434f33d-73c4-4f38-8c80-e92356380ffa',
acr: '1',
'allowed-origins': [ '' ],
realm_access: {
roles: [
'app-elev',
'offline_access',
'uma_authorization',
'default-roles-supercatalog'
]
},
resource_access: { restapi: { roles: [Array] }, account: { roles: [Array] } },
scope: 'email profile',
sid: 'removed',
email_verified: false,
preferred_username: 'elev'
}
If not, what would be an alternative, while still using Keycloak?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以将 access/id-token 中的用户信息保持在最低限度,然后让应用程序或 API 单独查询 UserInfo 端点以获取所有用户详细信息。令牌中的数据非常开放,因此如果将其发送到浏览器或用户可以访问,那么这可能是一个问题。但如果一切都在您的后端内,那么问题就更少了。
什么是 Keycloak 的 OAuth2 / OpenID Connect 端点?
You can keep the user information to a minimum in the access/id-token and then let the application or API query the UserInfo endpoint separately to get all the user details. The data in the token is pretty open so if it is sent to the browser or is accessible by the user, then that can be a problem. But if it is all inside your backend, then there is less a problem.
What are Keycloak's OAuth2 / OpenID Connect endpoints?