1) 将AD授权与JWT结合为承载是否合理令牌或构建安全后端的首选方法是什么+前端使用 AD 进行身份验证?

1) Is it reasonable to combine AD authorization with JWT as bearer token or what is the preferred way to build a secure backend + frontend utilizing AD for authentication?

这是合理的，但如果您已经在使用 Kerberos 和 AD 对用户进行初始身份验证，您可以考虑使用 s4u2proxy 约束委派 允许服务向 KDC 提供用户的服务票证并获取(根据授权检查)后端服务票证(并重复多次服务是必要的).

It is reasonable, but if you are already using Kerberos and AD to initially authenticate the user, you might consider using s4u2proxy constrained delegation which allows the service to present the user's service ticket to the KDC and acquire (subject to authorisation checks) a ticket for a backend service (and repeat for as many services are necessary).

如果您有很多需要联系的后端服务，则单个 JWT 可能会承载所有服务执行授权策略所需的所有授权声明更好的选择.

If you have a lot of backend services that need to be contacted, a single JWT bearing all the authorization claims needed for all the services to enforce authorization policy may be a better option.

2) 如果 JWT 是一个好主意，那么确保安全的***实践是什么使用 JWT 的端点?使用服务器端会话合理吗?

2) If JWT is a good idea, what is the best practice for securing endpoints using JWT? Is using a server side session reasonable?

适用一般密钥安全做法:

General key security practices apply:

• 永远不要在任何地方的非易失性存储器中明文存储密钥.
• 理想情况下，不要将加密密钥存储在服务器上的附加存储中，如果服务器遭到入侵，它们将受到离线攻击.仅在服务器启动时使它们对主机可用.
• 确保密钥材料驻留在安全内存中，这样就无法将其交换到磁盘(和/或使用加密交换).
• 使用公钥算法，这样多个主机上就不需要存在密钥.
• 考虑使用硬件安全模块 (HSM).

• Never store keys in the clear in non-volatile storage, anywhere.
• Ideally do not store encrypted keys in attached storage on the server where, if the server is compromised, they would be subject to offline attack. Make them available to the host only at server startup.
• Ensure key material resides in secure memory so that it cannot be swapped to disk (and/or use encrypted swap).
• Use public key algorithms so that no secret key need exist on multiple hosts.
• Consider using a hardware security module (HSM).