OAuth 2.0 Bearer Token 到底是什么? [英] What is the OAuth 2.0 Bearer Token exactly?

问题描述

根据RFC6750-The OAuth 2.0 Authorization Framework: Bearer Token Usage, the bearer令牌是:

<块引用>

一种安全令牌，其特性是拥有令牌的任何一方(持有者")可以以拥有令牌的任何其他方可以使用的任何方式使用令牌.

对我来说，这个定义很模糊，我找不到任何规范.

• 假设我正在实施授权提供程序，我可以为不记名令牌提供任何类型的字符串吗?
• 可以是随机字符串吗?
• 它是否必须是某些属性的 base64 编码?
  它应该被散列吗?
• 服务提供商是否需要查询授权提供商才能验证此令牌?

感谢您的指点.

解决方案

不记名令牌
具有任何一方拥有的财产的证券令牌令牌(承载者")可以以任何其他方式使用令牌拥有它的一方可以.使用不记名令牌不会要求持有人证明拥有加密密钥材料(所有权证明).

不记名令牌由身份验证服务器为您创建.当用户对您的应用程序(客户端)进行身份验证时，身份验证服务器会为您生成一个令牌.不记名令牌是 OAuth 2.0 中使用的主要访问令牌类型.不记名令牌基本上是说授予此令牌的持有者访问权限".

承载令牌通常是由身份验证服务器创建的某种不透明值.它不是随机的；它是根据授予您访问权限的用户和您的应用程序获得访问权限的客户端创建的.

例如，为了访问 API，您需要使用访问令牌.访问令牌是短暂的(大约一个小时).您使用不记名令牌来获取新的访问令牌.要获得访问令牌，您可以将此承载令牌与您的客户端 ID 一起发送到身份验证服务器.通过这种方式，服务器知道使用承载令牌的应用程序与创建承载令牌的应用程序相同.示例:我不能只使用为您的应用程序创建的不记名令牌并将其用于我的应用程序它不会工作，因为它不是为我生成的.

Google 刷新令牌如下所示:1/mZ1edKKACtPAb7zGlwSzvs72PvhAbGmB8K1ZrGxpcNM

从评论中复制:我认为您提供的不记名代币没有任何限制.我唯一能想到的就是允许不止一个.例如，用户最多可以对应用程序进行 30 次身份验证，而旧的不记名令牌仍然有效.哦，如果有一个说 6 个月没有使用过，我会把它从你的系统中删除.您的身份验证服务器必须生成它们并验证它们，因此其格式由您决定.

更新:

承载令牌设置在每个内联操作 HTTP 请求的授权标头中.例如:

POST/rsvp?eventId=123 HTTP/1.1主办方:events-organizer.com授权:承载 AbCdEf123456内容类型:应用程序/x-www-form-urlencoded用户代理:Mozilla/5.0 (X11；Linux x86_64) AppleWebKit/1.0(KHTML，像 Gecko；Gmail Actions)rsvpStatus=是

上例中的字符串 "AbCdEf123456" 是不记名授权令牌.这是由身份验证服务器生成的加密令牌.与操作一起发送的所有不记名令牌都有问题字段，受众字段将发件人域指定为 https://形式的 URL.例如，如果电子邮件来自 noreply@example.com，则受众是 https://example.com.>

如果使用不记名令牌，请验证请求是否来自身份验证服务器并且是针对发件人域的.如果令牌未通过验证，服务应使用 HTTP 响应代码 401(未授权)响应请求.

不记名令牌是 OAuth V2 标准的一部分，并被许多 API 广泛采用.

According to RFC6750-The OAuth 2.0 Authorization Framework: Bearer Token Usage, the bearer token is:

A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can.

To me this definition is vague and I can't find any specification.

• Suppose I am implementing an authorization provider, can I supply any kind of string for the bearer token?
• Can it be a random string?
• Does it have to be a base64 encoding of some attributes?
  Should it be hashed?
• And does the service provider need to query the authorization provider in order to validate this token?

Thank you for any pointer.

解决方案

Bearer Token
A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of-possession).

The Bearer Token is created for you by the Authentication server. When a user authenticates your application (client) the authentication server then goes and generates for you a Token. Bearer Tokens are the predominant type of access token used with OAuth 2.0. A Bearer token basically says "Give the bearer of this token access".

The Bearer Token is normally some kind of opaque value created by the authentication server. It isn't random; it is created based upon the user giving you access and the client your application getting access.

In order to access an API for example you need to use an Access Token. Access tokens are short lived (around an hour). You use the bearer token to get a new Access token. To get an access token you send the Authentication server this bearer token along with your client id. This way the server knows that the application using the bearer token is the same application that the bearer token was created for. Example: I can't just take a bearer token created for your application and use it with my application it wont work because it wasn't generated for me.

Google Refresh token looks something like this: 1/mZ1edKKACtPAb7zGlwSzvs72PvhAbGmB8K1ZrGxpcNM

copied from comment: I don't think there are any restrictions on the bearer tokens you supply. Only thing I can think of is that its nice to allow more than one. For example a user can authenticate the application up to 30 times and the old bearer tokens will still work. oh and if one hasn't been used for say 6 months I would remove it from your system. It's your authentication server that will have to generate them and validate them so how it's formatted is up to you.

Update:

A Bearer Token is set in the Authorization header of every Inline Action HTTP Request. For example:

POST /rsvp?eventId=123 HTTP/1.1
Host: events-organizer.com
Authorization: Bearer AbCdEf123456
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/1.0 (KHTML, like Gecko; Gmail Actions)

rsvpStatus=YES

The string "AbCdEf123456" in the example above is the bearer authorization token. This is a cryptographic token produced by the authentication server. All bearer tokens sent with actions have the issue field, with the audience field specifying the sender domain as a URL of the form https://. For example, if the email is from noreply@example.com, the audience is https://example.com.

If using bearer tokens, verify that the request is coming from the authentication server and is intended for the the sender domain. If the token doesn't verify, the service should respond to the request with an HTTP response code 401 (Unauthorized).

Bearer Tokens are part of the OAuth V2 standard and widely adopted by many APIs.

这篇关于OAuth 2.0 Bearer Token 到底是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！