tzssangglass commented on issue #5281: URL: https://github.com/apache/apisix/issues/5281#issuecomment-946843735
> 即,如果令牌给了其他人,它也可以访问API Yes, JWT is designed to do so. > 我认为私钥由客户端用于令牌加密,然后JwT-Auth可以使用公钥或签名对其进行解密,但事实并非如此。 I don't want to discuss this. JWT generation and validation should be done by the server. > 公钥和私钥似乎没有任何作用。 The private key is stored in the place where the JWT is issued, and the public key is stored in the place where the JWT is verified, so as to effectively prevent the private key from being leaked. > 有没有办法解决这个问题,比如给用户一个私钥,只有拥有私钥的用户才能使用有效的令牌访问API what is the difference between this and username password login. It is actually possible to achieve. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
