我应该在 Django Rest Framework 中使用 JWT 还是 Basic Token 身份验证?

2022-01-10 00:00:00 python django rest jwt token

问题描述

我即将使用 Django Rest Framework 在我的 API 中实现令牌身份验证.但我不确定是否应该使用基本令牌内置 DRF 或使用 JSON Web 令牌 (JWT) 标准(使用此包 djangorestframework-jwt)我发现的唯一参考资料是在 DRF 文档中:

I'm about to implement Token Authentication in my API using Django Rest Framework. But I'm not sure if I should use the basic token build-in DRF or use the JSON Web Token (JWT) standard (using this package djangorestframework-jwt) The only reference that I found was in the DRF docs:

与内置的 TokenAuthentication 方案不同,JWT Authentication不需要使用数据库来验证令牌.

Unlike the built-in TokenAuthentication scheme, JWT Authentication doesn't need to use a database to validate a token.

还有其他区别、优点或缺点需要考虑吗?

注意:该 API 将通过网站(使用 angularjs)和移动应用程序访问

Note: The API is gonna be accessed from the website (using angularjs) and by a mobile app


解决方案

无论平台如何,使用 JWT 令牌都有很多好处.JWT 令牌 base64 将所有用户声明编码在其正文中,并且可以在客户端安全地解码为有状态对象.与为客户端应用程序提供零使用的替代不透明令牌相比,这是非常有益的.登录后,您会立即在客户端中获得原子数据,而无需额外往返 API 来轮询用户信息.

There are many benefits to using JWT tokens regardless of the platform. JWT tokens base64 encode all the users claims in their body and can be safely decoded on the client into a stateful object. This is hugely beneficial when compared to alternative opaque tokens which provide zero use to the client app. On login, you immediately have atomic data in the client without additional round trips to the API to poll for user information.

JWT 令牌是无状态的:无需在服务器端存储或跟踪它们,这在许多服务器上具有更高的水平可扩展性.它们是安全的,因为用于授予它们的私有签名密钥存储在服务器端,任何带有它们的入站 API 调用都只需使用私有密钥进行验证,保证它们是由您的 Authorization API 颁发的.

JWT tokens are stateless: there is no need to store or keep track of them server side, which is more scalable horizontally across many servers. They are safe because the private signing key used to grant them is stored server side, any inbound API calls bearing them are simply validated with the private key, guaranteeing they were issued by your Authorization API.

JWT 令牌在 Angular、React 和任何其他客户端框架中都能很好地工作.因为它们是 JSON,您可以在客户端中对它们进行 base64 解码并将客户端 UI 元素直接绑定到您的声明 - 拥有管理员声明的人可以看到管理菜单,而没有该声明的用户永远不会知道如果正确实施,菜单存在.

JWT tokens work nicely in Angular, React, and any other client framework. Because they are JSON, you can base64 decode them in the client and bind client UI elements directly to your claims - someone with an admin claim can see an admin menu and a user without that claim will never know the menu exists, if implemented correctly.

除此之外,JWT 令牌的行为方式仍与任何不记名令牌相同:

Aside from this, a JWT token still behaves in the same way as any bearer token:

  • 由授权 API 颁发
  • 由客户端存储在 cookie 或本地存储中
  • Authorization 标头中传递给资源 API
  • Issued by Authorization API
  • Stored by client in cookies or local storage
  • Passed to Resource API in Authorization header

总之,如果您实施 JWT 令牌,您将在客户端和服务器之间来回的 N+1 次往返次数减少,扩展工作量也将减少.

In summary, you will have fewer N+1 trips back and forth between your client and server as well as less work to scale if you implement JWT tokens.

相关文章