我应该在Django Rest框架中使用JWT还是基本的令牌身份验证?

时间:2022-05-25 20:13:00

I'm about to implement Token Authentication in my API using Django Rest Framework. But I'm not sure if I should use the basic token build-in DRF or use the JSON Web Token (JWT) standard (using this package djangorestframework-jwt) The only reference that I found was in the DRF docs:

我将使用Django Rest框架在我的API中实现令牌认证。但我不确定是否应该使用内置的DRF基本令牌,还是使用JSON Web令牌(JWT)标准(使用这个djangorestframework-jwt包),我找到的唯一引用来自DRF文档:

Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token.

与内置的标记身份验证方案不同,JWT身份验证不需要使用数据库来验证令牌。

Is there any other difference, advantages or disadvantages to consider?

还有其他的区别、优点和缺点需要考虑吗?

Note: The API is gonna be accessed from the website (using angularjs) and by a mobile app

注意:API将通过网站(使用angularjs)和移动应用程序访问

2 个解决方案

#1


12  

There are many benefits to using JWT tokens regardless of the platform. JWT tokens base64 encode all the users claims in their body and can be safely decoded on the client into a stateful object. This is hugely beneficial when compared to alternative opaque tokens which provide zero use to the client app. On login, you immediately have atomic data in the client without additional round trips to the API to poll for user information.

无论使用哪个平台,使用JWT令牌都有很多好处。JWT令牌base64对所有用户在其主体中声明的内容进行编码,可以在客户机上安全地将其解码为有状态对象。与为客户端应用程序提供零使用的不透明标记相比,这是非常有益的。

JWT tokens are stateless: there is no need to store or keep track of them server side, which is more scalable horizontally across many servers. They are safe because the private signing key used to grant them is stored server side, any inbound API calls bearing them are simply validated with the private key, guaranteeing they were issued by your Authorization API.

JWT令牌是无状态的:不需要存储或跟踪它们的服务器端,这在许多服务器上是横向扩展的。它们是安全的,因为用于授予它们的私有签名密钥是存储服务器端,任何包含它们的入站API调用都只需使用私有密钥进行验证,以确保它们是由您的授权API发出的。

JWT tokens work nicely in Angular, React, and any other client framework. Because they are JSON, you can base64 decode them in the client and bind client UI elements directly to your claims - someone with an admin claim can see an admin menu and a user without that claim will never know the menu exists, if implemented correctly.

JWT令牌在角度、反应和任何其他客户端框架中工作得很好。因为它们是JSON,所以您可以在客户端中对它们进行base64解码,并将客户端UI元素直接绑定到您的声明中——具有管理声明的人可以看到管理菜单,而没有该声明的用户将永远不会知道菜单的存在,如果实现正确的话。

Aside from this, a JWT token still behaves in the same way as any bearer token:

除此之外,JWT令牌的行为仍然与任何不记名令牌相同:

  • Issued by Authorization API
  • 出具授权API
  • Stored by client in cookies or local storage
  • 客户端存储在cookie或本地存储中
  • Passed to Resource API in Authorization header
  • 在授权头中传递给资源API

In summary, you will have fewer N+1 trips back and forth between your client and server as well as less work to scale if you implement JWT tokens.

总之,如果您实现JWT令牌,那么您的客户端和服务器之间的N+1往返次数会减少,而且工作量也会减少。

#2


2  

JWT:

JWT:

  1. Any client that has it can ask for stuff (similar to money when buying stuff)
  2. 任何拥有它的客户都可以要求东西(类似于购买物品时的金钱)
  3. No database lookup once issued - embedded expiry dictates validation
  4. 一旦发出,就不需要进行数据库查找——嵌入的过期命令进行验证

JWT has an expiry date and until that time, it will remain valid. This may be undesirable when you need to log out a user on password reset, or forced.

JWT有一个有效期,在此之前,它仍然有效。当您需要在密码重置或强制退出用户时,这可能是不可取的。

A token blacklist may be used to address the above issues. This will re-introduce persistent or in-memory tracking which JWT was trying to avoid in the first place. However, the tracking will be on selected keys ONLY, whereas, the Basic Token Auth, the tracking is for all users.

可以使用令牌黑名单来解决上述问题。这将重新引入JWT最初试图避免的持久性或内存跟踪。但是,跟踪将只在选定的键上,而基本的令牌Auth,跟踪是针对所有用户。

JWT can be decoded by anyone who has it. Therefore one needs to be mindful of the information packed in the token. The Basic Auth Token, on the other hand, is just a simple hash, which can be seen as just a reference to a user.

任何人都可以解码JWT。因此,我们需要注意标记中的信息。另一方面,基本的Auth令牌只是一个简单的散列,可以看作是对用户的引用。

With caching and other performance enhancements in mind, one may not need to worry about the overhead, but the convenience and the future proofing of the flow.

考虑到缓存和其他性能增强,您可能不需要担心开销,而是需要考虑流的便捷性和未来验证。

Having full control over authentication, authorization and invalidation is a good thing to have, no matter whether JWT + blacklist or Basic Token Auth is used.

无论使用JWT +黑名单还是基本的令牌身份验证,完全控制身份验证、授权和失效都是一件好事。

Therefore, the Basic Auth Token may be better if the flow is customized to address the needs.

因此,如果为满足需求而定制流,那么基本的Auth令牌可能会更好。

#1


12  

There are many benefits to using JWT tokens regardless of the platform. JWT tokens base64 encode all the users claims in their body and can be safely decoded on the client into a stateful object. This is hugely beneficial when compared to alternative opaque tokens which provide zero use to the client app. On login, you immediately have atomic data in the client without additional round trips to the API to poll for user information.

无论使用哪个平台,使用JWT令牌都有很多好处。JWT令牌base64对所有用户在其主体中声明的内容进行编码,可以在客户机上安全地将其解码为有状态对象。与为客户端应用程序提供零使用的不透明标记相比,这是非常有益的。

JWT tokens are stateless: there is no need to store or keep track of them server side, which is more scalable horizontally across many servers. They are safe because the private signing key used to grant them is stored server side, any inbound API calls bearing them are simply validated with the private key, guaranteeing they were issued by your Authorization API.

JWT令牌是无状态的:不需要存储或跟踪它们的服务器端,这在许多服务器上是横向扩展的。它们是安全的,因为用于授予它们的私有签名密钥是存储服务器端,任何包含它们的入站API调用都只需使用私有密钥进行验证,以确保它们是由您的授权API发出的。

JWT tokens work nicely in Angular, React, and any other client framework. Because they are JSON, you can base64 decode them in the client and bind client UI elements directly to your claims - someone with an admin claim can see an admin menu and a user without that claim will never know the menu exists, if implemented correctly.

JWT令牌在角度、反应和任何其他客户端框架中工作得很好。因为它们是JSON,所以您可以在客户端中对它们进行base64解码,并将客户端UI元素直接绑定到您的声明中——具有管理声明的人可以看到管理菜单,而没有该声明的用户将永远不会知道菜单的存在,如果实现正确的话。

Aside from this, a JWT token still behaves in the same way as any bearer token:

除此之外,JWT令牌的行为仍然与任何不记名令牌相同:

  • Issued by Authorization API
  • 出具授权API
  • Stored by client in cookies or local storage
  • 客户端存储在cookie或本地存储中
  • Passed to Resource API in Authorization header
  • 在授权头中传递给资源API

In summary, you will have fewer N+1 trips back and forth between your client and server as well as less work to scale if you implement JWT tokens.

总之,如果您实现JWT令牌,那么您的客户端和服务器之间的N+1往返次数会减少,而且工作量也会减少。

#2


2  

JWT:

JWT:

  1. Any client that has it can ask for stuff (similar to money when buying stuff)
  2. 任何拥有它的客户都可以要求东西(类似于购买物品时的金钱)
  3. No database lookup once issued - embedded expiry dictates validation
  4. 一旦发出,就不需要进行数据库查找——嵌入的过期命令进行验证

JWT has an expiry date and until that time, it will remain valid. This may be undesirable when you need to log out a user on password reset, or forced.

JWT有一个有效期,在此之前,它仍然有效。当您需要在密码重置或强制退出用户时,这可能是不可取的。

A token blacklist may be used to address the above issues. This will re-introduce persistent or in-memory tracking which JWT was trying to avoid in the first place. However, the tracking will be on selected keys ONLY, whereas, the Basic Token Auth, the tracking is for all users.

可以使用令牌黑名单来解决上述问题。这将重新引入JWT最初试图避免的持久性或内存跟踪。但是,跟踪将只在选定的键上,而基本的令牌Auth,跟踪是针对所有用户。

JWT can be decoded by anyone who has it. Therefore one needs to be mindful of the information packed in the token. The Basic Auth Token, on the other hand, is just a simple hash, which can be seen as just a reference to a user.

任何人都可以解码JWT。因此,我们需要注意标记中的信息。另一方面,基本的Auth令牌只是一个简单的散列,可以看作是对用户的引用。

With caching and other performance enhancements in mind, one may not need to worry about the overhead, but the convenience and the future proofing of the flow.

考虑到缓存和其他性能增强,您可能不需要担心开销,而是需要考虑流的便捷性和未来验证。

Having full control over authentication, authorization and invalidation is a good thing to have, no matter whether JWT + blacklist or Basic Token Auth is used.

无论使用JWT +黑名单还是基本的令牌身份验证,完全控制身份验证、授权和失效都是一件好事。

Therefore, the Basic Auth Token may be better if the flow is customized to address the needs.

因此,如果为满足需求而定制流,那么基本的Auth令牌可能会更好。