更新时间:2023-11-30 23:46:52
1) 将AD授权与JWT结合为承载是否合理令牌或构建安全后端的首选方法是什么+前端使用 AD 进行身份验证?
1) Is it reasonable to combine AD authorization with JWT as bearer token or what is the preferred way to build a secure backend + frontend utilizing AD for authentication?
这是合理的,但如果您已经在使用 Kerberos 和 AD 对用户进行初始身份验证,您可以考虑使用 s4u2proxy 约束委派 允许服务向 KDC 提供用户的服务票证并获取(根据授权检查)后端服务票证(并重复多次服务是必要的).
It is reasonable, but if you are already using Kerberos and AD to initially authenticate the user, you might consider using s4u2proxy constrained delegation which allows the service to present the user's service ticket to the KDC and acquire (subject to authorisation checks) a ticket for a backend service (and repeat for as many services are necessary).
如果您有很多需要联系的后端服务,则单个 JWT 可能会承载所有服务执行授权策略所需的所有授权声明更好的选择.
If you have a lot of backend services that need to be contacted, a single JWT bearing all the authorization claims needed for all the services to enforce authorization policy may be a better option.
2) 如果 JWT 是一个好主意,那么确保安全的***实践是什么使用 JWT 的端点?使用服务器端会话合理吗?
2) If JWT is a good idea, what is the best practice for securing endpoints using JWT? Is using a server side session reasonable?
适用一般密钥安全做法:
General key security practices apply: