Home 零对冲(ZeroHedge)每日HackerNews

十年 JWT(JSON Web Token)与未来展望
Ten years of JSON Web Token and preparing for the future

原始链接: https://self-issued.info/?p=2708

十年前,2015年5月,JSON Web Token (JWT) 成为 RFC 7519,标志着历时四年半创建一种简单的基于 JSON 的安全令牌格式和底层密码学标准 (JWS、JWE、JWK、JWA) 的努力最终完成。 与 OpenID Connect 的共同设计旨在实现通用实用性,其广泛应用表明取得了成功。JWT 的应用方式如今已超出创建者当时的想象。 为确保持续安全,JSON Web Token 最佳实践规范正在更新,以应对新的威胁和缓解措施。此外,OAuth 2.0 的 JWT 配置文件正在修订,以解决令牌中与受众值相关的漏洞。

A recent Hacker News discussion centered on the 10-year anniversary of JSON Web Tokens (JWTs) and their future. Many commenters expressed reservations about JWTs, primarily due to the difficulty of immediate revocation when accounts are compromised or permissions change. This often forces applications to check the database on every request, negating the supposed statelessness of JWTs. Alternatives like revocation lists, short token lifetimes combined with token renewals, and storing revocations in fast caches were suggested to mitigate these issues. Some argued that JWTs are better suited for server-to-server communication than client-server authentication where cookies might be a simpler choice. The debate also covered the complexity of managing authorization data in JWTs, the rise of alternative token formats like PASETO, and the challenges of implementing secure JWT libraries. Overall, while JWTs have become a ubiquitous authentication method, their misuse and limitations continue to be a source of frustration and discussion in the developer community.
相关文章
  • (评论) 2024-03-09
  • (评论) 2024-09-23
  • 我应该使用 JWT 作为身份验证令牌吗? 2024-05-28
  • (评论) 2024-05-28
  • 加入W3C探索兴趣小组:标准从这里开始 2025-04-22
    • 原文

    IETF logoTen years ago this week, in May 2015, the JSON Web Token (JWT) became RFC 7519. This was the culmination of a 4.5 year journey to create a simple JSON-based security token format and underlying JSON-based cryptographic standards. The full set of RFCs published together was:

    • RFC 7515: JSON Web Signature (JWS)
    • RFC 7516: JSON Web Encryption (JWE)
    • RFC 7517: JSON Web Key (JWK)
    • RFC 7518: JSON Web Algorithms (JWA)
    • RFC 7519: JSON Web Token (JWT)
    • RFC 7520: Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE)
    • RFC 7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
    • RFC 7522: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
    • RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

    It’s certainly the case that we co-designed JWT and its underpinnings with OpenID Connect, while also attempting to create general-purpose, widely useful standards. Given the adoption that’s ensued, it seems that we succeeded.

    As I wrote in my post JWTs helping combat fraudulent and unwanted telephone calls, “It’s often said that one sign of a standard having succeeded is that it’s used for things that the inventors never imagined.” I’m gratified that this applies to JWT and the related specifications. As was written in the post Essential Moments in the OAuth and OpenID Connect Timeline, it’s now hard to imagine an online security world without these standards.

    That said, there’s work underway to keep JWTs and the use of them secure for the next decade. Five years ago, the JSON Web Token Best Current Practices specification was created. As I wrote then:

    This Best Current Practices specification contains a compendium of lessons learned from real JWT deployments and implementations over that period. It describes pitfalls and how to avoid them as well as new recommended practices that enable proactively avoiding problems that could otherwise arise.

    My coauthors Yaron Sheffer and Dick Hardt and I are now updating the JWT BCP to describe additional threats and mitigations that have become known in the last five years. See the updated JSON Web Token Best Current Practices specification.

    Similarly, my coauthors Brian Campbell and Chuck Mortimore of the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants are updating it and related specifications to address vulnerabilities caused by ambiguities in the audience values of tokens sent to the authorization server. See the RFC7523bis specification.

    I’m truly grateful that my coauthors John Bradley and Nat Sakimura and I created something useful and widely used ten years ago, of course with substantial contributions from the OAuth, JOSE, and OpenID Connect working groups. I look forward to what the next decade will bring!

    联系我们 contact @ memedata.com