JWT:slim v3和Android中的身份验证
我正在使用Slim框架将JSON返回到我的Android设备.我目前正在设备上进行登录.我使用3种不同的登录方式:Facebook,Google和帐户登录.登录帐户后,他可以注册一个新帐户或使用现有帐户登录.
I am using Slim framework to return JSON to my Android device. I am currently working on login on my device. I am using 3 different ways to login: Facebook, Google and account login. When he takes account login he can register a new account or login with an existing one.
为了确保Web服务的安全性,我考虑使用JWT安全性.因此,我正在阅读和观看有关其工作原理的视频.我想我知道它是如何工作的,但是我找不到关于如何正确实现它的任何信息.
For security on my web service I thought to use JWT security. So I am reading and watching video's about how it works. I think I understand how it works, but I cannot find anything about how to implement it correctly.
我用于slim v3的中间件称为: Slim-JWT-Auth . 我找到了以下链接可以在我的苗条框架中实现此功能,并且它可以正常工作我想.
The middleware I use for slim v3 is called: Slim-JWT-Auth. I found the following link to implement this in my slim framework, and it works correctly I think.
现在我的问题:
- 如何生成令牌?
- 何时生成令牌?
- 使用Google或Facebook登录时,我还需要令牌吗?因为他们已经使用了Auth2.0令牌?
- How do I generate my Token?
- When do I generate my Token?
- Do I also need a Token when using Google or Facebook sign-in? because they already use a Auth2.0 token?
我了解它是如何工作的,但是没有人在谈论何时以及如何实现它.那么,什么时候需要生成令牌(在Web服务上登录?),并且在每次启动应用程序后都需要生成令牌,还是只需要等到令牌过期即可?
I understand how it works but nobody is talking about when and how to implement it. So when do I need to generate the token (on login on the webservice?), and do I need to generate a token after every start of the app, or do I just need to wait until the token expires?
如何生成令牌?
由于中间件已经包含 firebase/php-jwt 库,因此您可以使用它来生成令牌.
Since the middleware already includes firebase/php-jwt library you can use it to generate the token.
$now = new DateTime();
$future = new DateTime("now +2 hours");
$server = $request->getServerParams();
$payload = [
"iat" => $now->getTimeStamp(),
"exp" => $future->getTimeStamp(),
"sub" => $server["PHP_AUTH_USER"]
];
$secret = "supersecretkeyyoushouldnotcommittogithub";
$token = JWT::encode($payload, $secret, "HS256");
我何时生成令牌?
例如,在您的api中,您可以包含受密码保护的路由,该路由返回令牌.除/token以外的所有其他路由均已通过JWT身份验证.客户可以在每一个请求中都请求令牌,或者总是在旧的请求过期之前总是请求令牌.
In your api you can for example include a password protected route which returns the token. All other routes except /token are JWT authenticated. Client can request token with every request or just always bit before the old one expires.
$app->add(new \Slim\Middleware\HttpBasicAuthentication([
"path" => "/token",
"users" => [
"test" => "test"
]
]);
$app->add(new \Slim\Middleware\JwtAuthentication([
"secret" => "supersecretkeyyoushouldnotcommittogithub"
"rules" => [
new RequestPathRule([
"path" => "/",
"passthrough" => ["/token"]
])
]
]);
$app->post("/token", function ($request, $response, $arguments) {
$now = new DateTime();
$future = new DateTime("now +2 hours");
$server = $request->getServerParams();
$payload = [
"iat" => $now->getTimeStamp(),
"exp" => $future->getTimeStamp(),
"sub" => $server["PHP_AUTH_USER"],
];
$secret = "supersecretkeyyoushouldnotcommittogithub";
$token = JWT::encode($payload, $secret, "HS256");
$data["status"] = "ok";
$data["token"] = $token;
return $response->withStatus(201)
->withHeader("Content-Type", "application/json")
->write(json_encode($data, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT));
});
使用Google或Facebook登录时,我还需要令牌吗?因为他们已经使用了Auth2.0令牌?
对此没有明确的答案.这取决于".例如,您可以向Facebook或Google验证您的/token路由,然后从那里返回您自己的JWT令牌.
There is no clear answer to this. It "depends". You could for example authenticate your /token route with Facebook or Google and return your own JWT token from there.
有关您可能想要的所有内容的示例实现的详细工作正在进行中检查.
There is an work in progress more detailed example implementation of everything above you might want to check.