我应该使用什么来验证我的REST API中的用户?

时间:2022-07-12 07:14:06

I was planning on using JWT for the authentication of my users on my REST API (written with nodejs, using express), but i've seen people on the internet saying that it wasn't safe.

我计划在我的REST API上使用JWT来验证我的用户(用nodejs编写,使用快递),但我看到互联网上的人说它不安全。

Is it really not safe ? What's a better alternative ?

真的不安全吗?什么是更好的选择?

4 个解决方案

#1


0  

passport will best for authentication your user which will come on your application.

护照最适合用户身份验证,这将在您的应用程序中出现。

#2


0  

It depends on how you use them. Json Web Token is practically safe enough as long as:

这取决于你如何使用它们。只要符合以下条件,Json Web Token就足够安全了:

  1. You sign it with a strong alg.
  2. 你用一个强大的alg签名。

  3. Keep the signing key safe from unauthorized access.
  4. 保持签名密钥免受未经授权的访问。

  5. Don't store sensitive data in token itself.
  6. 不要将敏感数据存储在令牌本身中。

  7. Narrow down access scope of each token to only required resources.
  8. 将每个令牌的访问范围缩小到仅需要的资源。

  9. Expire them soon enough.
  10. 很快就会过期。

  11. Use TLS/SSL to transfer them securely.
  12. 使用TLS / SSL安全地传输它们。

#3


0  

JWT is just a token, not an authentication/authorization protocol. Using JWT can be secure or insecure it depends on how you use it. JWT is the native token used by OIDC. You're probably referring to the usual use of JWT as value tokens, which may be less secure than reference tokens. See here for a somewhat clearer explanation.

JWT只是一种令牌,而不是身份验证/授权协议。使用JWT可能是安全的或不安全的,这取决于您如何使用它。 JWT是OIDC使用的本机令牌。您可能指的是JWT通常用作值标记,这可能不如参考标记安全。请参阅此处以获得更清晰的解释。

In the comments you ask about using what is essentially basic HTTP authentication (only using JWT instead of uuencode(user:password) as the token). There is nothing wrong with basic authentication as long as the communication is properly secured (https using TLS >= 1.1), but there are severe limitations to using this type of authentication. Any API authentication that requires username and password means every client of the app needs to have it's own user (principal). The whole stack of protocols on top of authentication in the paper I linked to is meant to solve several problems encountered by APIs. The two main ones are:

在评论中,您询问使用什么是基本的HTTP身份验证(仅使用JWT而不是uuencode(user:password)作为令牌)。只要通信得到适当保护(使用TLS> = 1.1的https),基本身份验证没有任何问题,但使用此类身份验证存在严重限制。任何需要用户名和密码的API身份验证意味着应用程序的每个客户端都需要拥有自己的用户(主体)。在我链接的论文中,基于身份验证的整个协议栈旨在解决API遇到的几个问题。两个主要的是:

Federation: the user logs in once to a central system and does not need to log in again for each system that trusts the central system.

联合:用户登录到*系统,无需再次登录信任*系统的每个系统。

Delegation: the user delegates authority to a third party to allow it to do only specific tasks (and not others). This authority can be revoked individually without needing to change the permissions of other third parties or changing passwords.

委派:用户将权限委托给第三方,以允许它仅执行特定任务(而不是其他任务)。可以单独撤消此权限,而无需更改其他第三方的权限或更改密码。

Federation is the feature that lets you log with your Facebook or Google account to * without providing your password. Delegation allows you to specify what * can do with your Facebook or Google account (e.g. get your personal info but not post). Delegation works on top of federation.

联盟功能可让您使用Facebook或Google帐户登录*而无需提供密码。委派允许您指定*可以对您的Facebook或Google帐户执行的操作(例如,获取您的个人信息但不发布)。代表团在联邦之上工作。

The problem with all this is that it makes your API more difficult to access: give the client a username and password vs. make the user using the client log in to an identity system and allow the client to use the API. If your system is a B2B API with a single client application then using only authentication is fine. If your API involves users in any way or is meant to be consumed by third party applications then then you really have no choice but implementing the whole security stack (i.e. OIDC and OAuth). There is a (good) reason the stack was designed and it'll save you stumbling into the same problems it already solves.

所有这一切的问题在于它使您的API更难以访问:为客户端提供用户名和密码,而不是让用户使用客户端登录到身份系统并允许客户端使用API​​。如果您的系统是具有单个客户端应用程序的B2B API,那么仅使用身份验证就可以。如果您的API以任何方式涉及用户或者意图被第三方应用程序使用,那么您实际上别无选择,只能实现整个安全堆栈(即OIDC和OAuth)。堆栈设计有一个(好的)原因,它可以帮助你绊倒它已经解决的相同问题。

#4


0  

In most situations the security characteristics depend on the actual implementation rather than the specification or concept being used. You can have secure JWT implementations and you can also fail miserably...

在大多数情况下,安全特性取决于实际实现而不是所使用的规范或概念。你可以拥有安全的JWT实现,你也可能会失败......

Read critical vulnerabilities in JSON Web Token libraries for some examples on JWT related vulnerabilities exposed by some implementations not because of the actual specification, but because how they implemented it and how developers ended up using them.

阅读JSON Web Token库中的关键漏洞,了解一些实现所暴露的JWT相关漏洞的一些示例,而不是因为实际规范,而是因为它们如何实现它以及开发人员最终如何使用它们。

Authentication is a hard problem that's always evolving so secure implementations take time and resources to implement. If you really care about security the best recommendation (alternative) is to delegate as much of it as possible to someone or something completely focused on it.

身份验证是一个始终在不断发展的难题,因此安全的实现需要时间和资源来实现。如果您真的关心安全性,那么最好的推荐(替代方案)就是尽可能多地将其委托给完全关注它的人或某事。

This will also give you more time to focus on solving the business problems that made you start building your application in the first place. I would suggest a look at Auth0, but I like it so much that I ended up working there so I'm biased.

这也将使您有更多时间专注于解决使您开始构建应用程序的业务问题。我建议看看Auth0,但我非常喜欢它,所以我最终在那里工作所以我有偏见。

#1


0  

passport will best for authentication your user which will come on your application.

护照最适合用户身份验证,这将在您的应用程序中出现。

#2


0  

It depends on how you use them. Json Web Token is practically safe enough as long as:

这取决于你如何使用它们。只要符合以下条件,Json Web Token就足够安全了:

  1. You sign it with a strong alg.
  2. 你用一个强大的alg签名。

  3. Keep the signing key safe from unauthorized access.
  4. 保持签名密钥免受未经授权的访问。

  5. Don't store sensitive data in token itself.
  6. 不要将敏感数据存储在令牌本身中。

  7. Narrow down access scope of each token to only required resources.
  8. 将每个令牌的访问范围缩小到仅需要的资源。

  9. Expire them soon enough.
  10. 很快就会过期。

  11. Use TLS/SSL to transfer them securely.
  12. 使用TLS / SSL安全地传输它们。

#3


0  

JWT is just a token, not an authentication/authorization protocol. Using JWT can be secure or insecure it depends on how you use it. JWT is the native token used by OIDC. You're probably referring to the usual use of JWT as value tokens, which may be less secure than reference tokens. See here for a somewhat clearer explanation.

JWT只是一种令牌,而不是身份验证/授权协议。使用JWT可能是安全的或不安全的,这取决于您如何使用它。 JWT是OIDC使用的本机令牌。您可能指的是JWT通常用作值标记,这可能不如参考标记安全。请参阅此处以获得更清晰的解释。

In the comments you ask about using what is essentially basic HTTP authentication (only using JWT instead of uuencode(user:password) as the token). There is nothing wrong with basic authentication as long as the communication is properly secured (https using TLS >= 1.1), but there are severe limitations to using this type of authentication. Any API authentication that requires username and password means every client of the app needs to have it's own user (principal). The whole stack of protocols on top of authentication in the paper I linked to is meant to solve several problems encountered by APIs. The two main ones are:

在评论中,您询问使用什么是基本的HTTP身份验证(仅使用JWT而不是uuencode(user:password)作为令牌)。只要通信得到适当保护(使用TLS> = 1.1的https),基本身份验证没有任何问题,但使用此类身份验证存在严重限制。任何需要用户名和密码的API身份验证意味着应用程序的每个客户端都需要拥有自己的用户(主体)。在我链接的论文中,基于身份验证的整个协议栈旨在解决API遇到的几个问题。两个主要的是:

Federation: the user logs in once to a central system and does not need to log in again for each system that trusts the central system.

联合:用户登录到*系统,无需再次登录信任*系统的每个系统。

Delegation: the user delegates authority to a third party to allow it to do only specific tasks (and not others). This authority can be revoked individually without needing to change the permissions of other third parties or changing passwords.

委派:用户将权限委托给第三方,以允许它仅执行特定任务(而不是其他任务)。可以单独撤消此权限,而无需更改其他第三方的权限或更改密码。

Federation is the feature that lets you log with your Facebook or Google account to * without providing your password. Delegation allows you to specify what * can do with your Facebook or Google account (e.g. get your personal info but not post). Delegation works on top of federation.

联盟功能可让您使用Facebook或Google帐户登录*而无需提供密码。委派允许您指定*可以对您的Facebook或Google帐户执行的操作(例如,获取您的个人信息但不发布)。代表团在联邦之上工作。

The problem with all this is that it makes your API more difficult to access: give the client a username and password vs. make the user using the client log in to an identity system and allow the client to use the API. If your system is a B2B API with a single client application then using only authentication is fine. If your API involves users in any way or is meant to be consumed by third party applications then then you really have no choice but implementing the whole security stack (i.e. OIDC and OAuth). There is a (good) reason the stack was designed and it'll save you stumbling into the same problems it already solves.

所有这一切的问题在于它使您的API更难以访问:为客户端提供用户名和密码,而不是让用户使用客户端登录到身份系统并允许客户端使用API​​。如果您的系统是具有单个客户端应用程序的B2B API,那么仅使用身份验证就可以。如果您的API以任何方式涉及用户或者意图被第三方应用程序使用,那么您实际上别无选择,只能实现整个安全堆栈(即OIDC和OAuth)。堆栈设计有一个(好的)原因,它可以帮助你绊倒它已经解决的相同问题。

#4


0  

In most situations the security characteristics depend on the actual implementation rather than the specification or concept being used. You can have secure JWT implementations and you can also fail miserably...

在大多数情况下,安全特性取决于实际实现而不是所使用的规范或概念。你可以拥有安全的JWT实现,你也可能会失败......

Read critical vulnerabilities in JSON Web Token libraries for some examples on JWT related vulnerabilities exposed by some implementations not because of the actual specification, but because how they implemented it and how developers ended up using them.

阅读JSON Web Token库中的关键漏洞,了解一些实现所暴露的JWT相关漏洞的一些示例,而不是因为实际规范,而是因为它们如何实现它以及开发人员最终如何使用它们。

Authentication is a hard problem that's always evolving so secure implementations take time and resources to implement. If you really care about security the best recommendation (alternative) is to delegate as much of it as possible to someone or something completely focused on it.

身份验证是一个始终在不断发展的难题,因此安全的实现需要时间和资源来实现。如果您真的关心安全性,那么最好的推荐(替代方案)就是尽可能多地将其委托给完全关注它的人或某事。

This will also give you more time to focus on solving the business problems that made you start building your application in the first place. I would suggest a look at Auth0, but I like it so much that I ended up working there so I'm biased.

这也将使您有更多时间专注于解决使您开始构建应用程序的业务问题。我建议看看Auth0,但我非常喜欢它,所以我最终在那里工作所以我有偏见。