Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Oauth1 guide Tokens are still valid in scenarios such as logout Speci ?c similar scenarios are sign out change Password The server has modi ?ed the permissions or roles of a user The user's account is deleted suspended The user is logged out by the admini

Tokens are still valid in scenarios such as logout Speci ?c similar scenarios are sign out change Password The server has modi ?ed the permissions or roles of a user The user's account is deleted suspended The user is logged out by the administrator This problem does not exist in the session authentication method because in the session authentication method the server can delete the corresponding session record However using token authentication is not easy to solve We also said that once the token is sent if the backend does not add other logic it will be valid until it expires So how do we solve this problem Checked a lot of information and summarized the following schemes Store tokens in an in-memory database Store tokens in a DB Redis in-memory databases are a good choice here If you need to invalidate a token you can simply delete the token from redis However this will lead to the step of querying the existence of the token from the DB each time a request is sent using the token and it violates the principle of statelessness of the JWT Blacklisting mechanism a way similar to the above the use of in- memory database such as redis maintain a blacklist if you want a token fails then the token will be directly added to the blacklist can be Then every time a token is used to make a request it will ?rst determine whether the token exists in the blacklist Modify Secret We create a dedicated key for each user If we want to invalidate a token we can directly modify the key of the corresponding user However this introduces greater harm than the introduction of the ?rst two in-memory databases such as ??I f the service is distributed the keys must be synchronized across multiple machines each time a new token is issued To do this you need to store the secrets in a database or other external service so that it is not much di ?erent from session authentication I ?? f the user opens the system in two browsers at the same time or the system is also opened on the mobile phone if it logs out of the account from one place it is necessary to log in again elsewhere This is not desirable Keeping tokens short- lived and rotating frequently a simple way However the login status of the user will not be persistently recorded and the user needs to log in frequently It is relatively easy to solve the problem that the token is still valid after the password is changed One way I think is better use the hash value of the user's password to sign the token Therefore if the password is changed any previous tokens will automatically fail to verify token renewal issue Generally the token validity period is not recommended to be set too long so how to authenticate after the token expires and how to dynamically refresh the token to avoid