发表新帖
发表新帖

ASP.NET Identity Bearer Token vs JWT Pros and Cons

后端 未结
关注
3 1072
猫巷女王i
猫巷女王i 2021-02-05 07:24

I have used ASP.NET Identity for a while now and have been looking at JWT (JSON Web Token) as they seem really interesting and easy to use.

JWT.IO has a great example/to

3条回答
  • 一整个雨季
    一整个雨季 (楼主)
    2021-02-05 07:55

    JWTs are like a ticket to an attraction. It contains all the security information a server needs embedded in it. Once the server has handed it out the client just needs to present it whenever it asks for something and the server responds accordingly if it's valid.

    The contents are entirely viewable, but they're signed using a secret key by the server so it can tell if they've been tampered with.

    Since everything is in the JWT, and the client can present it to whomever they want, you can use it for Single Sign On as long as the different servers share the same secret so they can verify the signature.

    Like a ticket, a JWT has an expiry date. As long as it hasn't expired, it's valid. This means you can't revoke them before that. For this reason JWTs often have short expiry times (30 mins or so) and the client is also issued a refresh token in order to renew the JWT quickly when it expires.

    JWTs

    • Not stored on the server
    • Great for SSO
    • Can't be revoked prematurely

    Bearer tokens are like a guest list. The server puts the client on the guest list, then provides a pass code to identify it when it wants something. When the client provides the code, the server looks it up on the list and checks that it's allowed to do whatever it's asking.

    The server has to have the list available to it so if you want to share access across servers, they either all need to be able to access the list (database), or talk to some authority that has it (auth server).

    On the other hand, since they have the guest list, they can take you off it whenever they want.

    Bearer Tokens

    • Stored on the server
    • Can be revoked at any time
    • Requires a central authority or shared database to share the token across servers

    Bit of Tech has some excellent tutorials on implementing JWTs with Web Api if you want to go down that route.

    http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/

    0 讨论(0)
 看不清?
提交回复
热议问题