忘记密码的 OAuth 令牌撤销 [英] OAuth token revocation for Forgot password

问题描述

如果客户经历了忘记密码流程并更改了他的密码，Oauth 令牌是否应该被撤销

Should the Oauth tokens be revoked if the customer goes through a forgot password flow and changes his password

推荐答案

更改密码的一个原因是用户注意到其他人可以访问他的帐户.在这种情况下，曾经使用旧密码访问并使用 OAuth 获取访问令牌的攻击者仍然可以访问该帐户，尽管用户更改了密码以防止这种情况发生.

One reason for changing a password is when a user notices that someone else had access to his account. In this case an attacker who had once access with the old password and used OAuth to get an access token could still have access to the account, though the user changed his password to prevent this.

例如由于某些不明原因(弱密码、木马等)，您的 GMail 帐户被黑并用于发送垃圾邮件.攻击者使用了具有 OAuth 功能的 Google IMAP 并获得了有效的访问令牌.现在不知何故，您注意到他们以您的名义发送垃圾邮件，而您更改了密码.攻击者仍然拥有有效的访问令牌，可以继续发送垃圾邮件.

E.g. for some obscure reason (weak password, trojan, etc.) your GMail account was hacked and used to send spam. The attacker used Google's IMAP with OAuth feature and got a valid access token. Now somehow you notice they're sending spam in your name and you change your password. The attacker still has a valid access token and can continue sending spam.

撤销令牌应该与用户更改密码的原因无关.如果他更改了，您应该撤销所有令牌并让他重新注册.

Revoking the token should be independent of the reason, why the user changes his password. If he changes it, you should revoke all tokens and let him sign up once again.

这篇关于忘记密码的 OAuth 令牌撤销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！