JWT 令牌使用
我正在将 IdentitySercer4 与我的 .net 应用程序一起使用。我有 IDS 正在运行并分发 JWT 令牌、受 JWT 保护的 API 端点和网站。
问:我的网站前往 IDS 获取令牌,现在可以调用 API 端点。但接下来我该怎么办?我肯定不会在每次调用时都返回 IDS 获取另一个令牌吗?我是否保存我的 JWT 令牌 - Db 或 cookie?然后每次都呈现出来。何时进行检查以查看 JWT 令牌是否已过期,以便客户端返回 IDS 获取新令牌?
谢谢
I am using IdentitySercer4 with my .net application. I have IDS running and dishing out JWT tokens, an API endpoint protected with JWT and a Website.
Q. My website goes to IDS to get the token and can now call the API endpoint. But what do I do next? Surely I don't go back to IDS for another token for every call? Do I save my JWT token - either Db or cookie? and then present it every time. When is the check carried out to see if the JWT token has expired so the client goes back to IDS to get a new token?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您将令牌缓存在客户端中,并将其显示在每个请求的
Authorization标头中。资源服务器(您的 API)在每个请求期间验证令牌。首先,它使用公钥检查令牌下的签名(令牌是由只有 Identity Server 知道的私钥签名的)。如果签名有效,则会检查其他内容,例如到期日期。公钥可从 IdentityServer 的 URI/.well-known/openid-configuration获取。资源服务器(您的 API)不应在每次请求时都调用此端点,而应缓存公钥。如果您的 API 是用 .NET 编写的,您应该考虑使用默认值身份验证中间件实现并将
Authority设置为指向您的 IdentityServer,这样令牌验证将开箱即用。You cache your token in the client and present it in the
Authorizationheader in every request. The resource server (your API) validates the token during every request. At first, it checks the signature under the token by using the public key (the token is signed by the private key only known to the Identity Server). If the signature is valid, then it checks other stuff like the expiration date. The public key is obtainable from the URI/.well-known/openid-configurationof your IdentityServer. The resource server (your API) shouldn't call this endpoint every request, it should cache the public key instead. If your API is written in .NET, you should consider using the defaultauthentication middleware implementation and setting
Authorityto point to your IdentityServer, this way token validation will be working out of the box.