Use client fingerprint to encode JWT token?

假装没事ソ 提交于 2021-01-28 00:07:47

问题


I'm wondering if it would be best practice to use a clients fingerprint as JWT-secret for encoding. However I couldn't find anything in the WWW concerning this question, but so far it makes sense to me to do it.

I'm thinking about generating a fingerprint client-side with JavaScript and sent it to the API with every call. The API should then use the fingerprint with a hard coded secret together for encoding and decoding the token.

Isn't this a good method to prevent CSRF? Or am I missing out on something else? Or in general: What is the best way to prevent CSRF with JWT? (I'm using PHP and VueJS, is there maybe a case related solution?)


回答1:


I have never heard about that.

A token is signed using a private key or a shared secret. The use of a fingerprint means you can correlate one (or more) fingers to a private key then compute a token.

However, this looks very similar to the Webauthn protocol I am working with. When using Android devices, the browser can interact with the fingerprint/screenlock to authenticate the user. The data sent by the device is a JWT that can be verified using a Google API (see Android SafetyNet).



来源:https://stackoverflow.com/questions/54377272/use-client-fingerprint-to-encode-jwt-token

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!