OAuth客户端凭据重新颁发访问令牌与刷新令牌 [英] OAuth Client Credentials Reissue Access Token vs. Refresh Token
问题描述
通读一些关于Oauth 2流程中刷新令牌用途的类似文章,它们对于用户参与的身份验证(如用户名和密码)有意义,但对于Oauth2客户端凭据流程,为什么要冒着使用刷新令牌的风险根本没有?
Read through a few similar posts in regards to the purpose of Refresh tokens in Oauth 2 flows, and they make sense for user attended authentication such as username and password, but for the Oauth2 client credentials flow, why risk utilizing a refresh token at all?
与通过客户端ID和客户端机密身份验证获取访问令牌相比,使用刷新令牌过期后使用刷新令牌获取新访问令牌的速度更快吗?
Is there less system strain or is it faster to use a refresh token to get a new access token after it has expired as opposed to getting an access token through client id and client secret authentication?
引用的帖子:
推荐答案
简短而又瘦弱的是-客户可以代表自己行事,而无需资源所有者的参与;只需像以前一样请求一个新的访问令牌.
The short and skinny is -- the client can act on its own behalf without involving a resource owner; just request a new access token as before.
...但是对于Oauth2客户端凭据流,为什么要冒险使用完全刷新令牌吗?
...but for the Oauth2 client credentials flow, why risk utilizing a refresh token at all?
很好的观察;客户端凭据流不会发出刷新令牌.在没有资源所有者的情况下,可以合理地假设客户端可以根据需要请求新的访问令牌.
Nice observation; the client credentials flow does not issue refresh tokens. Absent a resource owner, it's reasonable to assume the client can request a new access token as needed.
使用较少的系统压力还是使用刷新令牌来更快过期后获取新的访问令牌,而不是获取新的访问令牌通过客户端ID和客户端机密身份验证访问令牌?
Is there less system strain or is it faster to use a refresh token to get a new access token after it has expired as opposed to getting an access token through client id and client secret authentication?
虽然在实现上特定于刷新令牌的处理速度,但是处理刷新令牌的速度可能要比对新访问令牌的请求稍慢.这是因为客户端能够直接请求访问令牌,而无需针对调用客户端验证刷新令牌.
While it's certainly implementation specific on how "fast" a refresh token is processed, it's likely marginally slower to process a refresh token over a request for a new access token. This is due to the client being able to directly request an access token which does not require validation of a refresh token against the calling client.
这篇关于OAuth客户端凭据重新颁发访问令牌与刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!