OAuth2授权类型密码正在吊销其他access_token [英] OAuth2 Grant Type Password is Revoking other access_token
问题描述
这些天,我一直在尝试学习一些服务器端框架.我不是oauth2的专家,但是我曾与团队一起使用过api.他们使用资源所有者凭据授予给了我访问权限,授予类型为密码,client_id和client_secret.我可以同时登录多个浏览器.正如我尝试过的帆js oauth 2和laravel护照oauth2.我很困惑.他们两个都使用grant_type密码撤消了我的旧access_token.使用laravel护照和带有grant_type密码的js oauth2航行.我一次只能登录一个设备或浏览器.我很困惑哪一个是正确的事情.
I've been trying to learn some server side frameworks these days. I am not an expert of oauth2, but I had use an api with a team. They gave me an access using Resource owner credentials grant, with a grant_type as password, client_id and client_secret. I can log in on multiple browsers at the same time. As I have tried sails js oauth 2 and laravel passport oauth2. I got confused. Both of them using grant_type password revoke my old access_token. Using laravel passport and sails js oauth2 with grant_type password. I can log in only on one device or browser at a time. I'm confused which one is the right thing to do.
这是oauth2真正的工作方式吗?您只能登录并使用一个访问令牌?
Is this how oauth2 really works? you can only log in and use one access token?
如果这是标准方式,则撤销旧的访问令牌.我应该使用哪种类型的赠款.这样我的多个设备可以同时登录?
If this is the standard way, revoking the old access token. What type of grant type should I use. so my multiple devices can log in at the same time?
推荐答案
行为---发行新的访问令牌是否使现有的访问令牌无效---取决于OAuth 2.0服务器的实现. OAuth 2.0规范( RFC 6749 )对此行为没有任何限制.
The behavior --- whether issuing a new access token invalidates existing access tokens or not --- depends on OAuth 2.0 server implementations. The OAuth 2.0 specification (RFC 6749) does not impose any restrictions on the behavior.
实际上,某些OAuth 2.0服务器实现提供了一项功能,使服务器管理员可以配置行为.以下是有关配置项目(每个主题一个访问令牌")的描述的屏幕快照.
In fact, a certain OAuth 2.0 server implementation provides a feature to enable server administrators to configure the behavior. The following is a screenshot of the description about the configuration item ("Single Access Token Per Subject").
因此,重要的不是grant_type而是您正在使用的OAuth 2.0服务器的实施策略.
So, what matters is not grant_type but the implementation policy of the OAuth 2.0 server you are using.
这篇关于OAuth2授权类型密码正在吊销其他access_token的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
