移动应用程序的 OAuth2 访问令牌是否必须过期? [英] Do OAuth2 access tokens for a mobile app have to expire?
问题描述
此处接受的关于为什么 OAuth2 访问令牌过期的答案:
The accepted answer here as to why OAuth2 access tokens expire:
- 许多提供商支持安全性非常弱的不记名令牌.通过使它们短暂存在并需要刷新,它们可以限制攻击者滥用被盗令牌的时间.(这是什么意思?我认为这意味着允许在没有 TLS 的情况下传输?还有别的吗?).
- 大规模部署不想在每次 API 调用时都执行数据库查找,因此他们会发布可通过解密进行验证的自编码访问令牌.但是,这也意味着无法撤销这些令牌,因此它们的发行时间很短,必须刷新.
- 刷新令牌需要客户端身份验证,这使得它更强大.与上述访问令牌不同,它通常通过数据库查找来实现.
假设我们不支持访问令牌的非加密传输,请注意第一个要点.
Assuming that we don't support non-encrypted transmission of the access token takes care of the first bullet point.
假设我们可以对可撤销的、完全随机的访问令牌进行数据库查找,那么第二个令牌就可以处理了.
Assuming that we are fine with doing a database lookup against a revokable, completely random access token takes care of the second one.
对于移动应用程序,客户端身份验证不能更强,因为注册时获得的 client_id 和 client_secret 已嵌入到您的应用程序的源代码中.在这种情况下,client_secret 显然不被视为机密."(Google).这消除了第三个问题.
For mobile apps, client authentication cannot be stronger, because "the client_id and client_secret obtained during registration are embedded in the source code of your application. In this context, the client_secret is obviously not treated as a secret." (Google). That eliminates the third concern.
那么在这种情况下分离短期访问令牌和长期刷新令牌有什么好处?只发布非过期的访问令牌并忽略整个刷新令牌部分是否可以"?
So what is the benefit of separating short-lived access tokens and long-lived refresh tokens in this scenario? Is it "okay" to just issue non-expiring access tokens and ignore the whole refresh token part?
推荐答案
刷新令牌和非过期访问令牌在安全方面的区别在于对授权服务器的额外调用.
The difference between a refresh token and a non-expiring access token in means of security is one additional call to the authorization server.
如果攻击者获得了您的非过期访问令牌的访问权限,他可以直接调用您的资源服务器并获取机密数据作为响应.
现在,如果他窃取了您的刷新令牌,他首先必须调用授权服务器并接收访问令牌作为响应.然后他可以查询资源服务器的机密数据.
If an attacker gains access to your non-expiring access token, he can directly call your resource server and get confidential data as response.
Now if he steals your refresh token, he first has to call the authorization server and receive an access token in response. Then he can query the resource server for confidential data.
每次使用刷新令牌从授权服务器请求访问令牌时,OAuth 2 规范(至少是目前的最新草案)要求服务器检查客户端身份以及它是否绑定到令牌,如果可能.
Each time an access token is requested from your authorization server using a refresh token, the OAuth 2 specification (at least the latest draft for now) requires the server to check the client identity and if it is bound to the token, if possible.
由于使用客户端密钥的正常方法无法在开放平台上明确识别已安装的应用程序,因此运行该应用程序的平台必须提供执行此操作的方法.谷歌例如要求 Android 应用程序由开发人员签名.当使用 Google API Console 请求 Android 应用程序的凭据时,您必须指定 您用于签署应用程序的证书指纹,并且只获得客户端 ID,但没有秘密回应.在发行令牌时,Google 可以决定应用程序是否已获得开发者的授权,可以以他的名义请求令牌.
As the normal approach with a client secret does not work to definitly identify an installed application on an open platform, the platform running the application has to provide methods to do this. Google e.g. requires Android applications to be signed by the developer. When requesting credentials for an Android application using the Google API Console, you therefore have to specify the fingerprint of the certificate you used for signing the application and only get a client ID, but no secret in response. On issuing tokens, Google can then decide if the application was authorized by the developer to request tokens in his name.
如果您绝对无法验证客户端身份,则至少在某些情况下可以识别刷新令牌被盗.该规范有一个示例:
If you definitly can't verify the client identity, it is at least possible in some cases to recognize that a refresh token was stolen. The specification has an example for this:
当无法进行客户端身份验证时,授权服务器应该部署其他方法来检测刷新令牌滥用.
When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.
例如,授权服务器可以使用刷新令牌轮换,其中每个访问令牌刷新响应都会发出一个新的刷新令牌.先前的刷新令牌已失效但由授权服务器保留.如果刷新令牌被破坏并随后被攻击者和合法客户端使用,其中之一将提供无效的刷新令牌,这将通知授权服务器该漏洞.
For example, the authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach.
这篇关于移动应用程序的 OAuth2 访问令牌是否必须过期?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
