可以/应该使用spring security中的每个请求刷新OAuth2令牌 [英] Can / should I refresh an OAuth2 token with every request in spring security
问题描述
我们使用username-password grant将我们的JS客户端连接到我们的REST服务器。在某种程度上,oauth / token返回的令牌是我们的会话,因为它允许在有限的时间内访问后端。
We use the username-password grant to connect our JS client to our REST server. In a way the token returned by oauth/token is our session, as it allows access to the backend for a limited time.
我们希望每次使用令牌向后端发出请求时刷新该会话/令牌。
We would like to refresh that session/token every time we make a request to the backend using the token.
我知道服务器发出了这个刷新令牌,我可以用它在令牌过期后刷新令牌。
I know there is this refresh token issued by the server and I could use it to refresh my token after it has expired.
问题是:我不想让客户端负责捕获令牌过期的异常,并在令牌过期之前重新验证或安排刷新。我希望令牌能够刷新,直到它在有限的时间内不再使用 - 就像会话一样。 (我也不希望它发出每个数据请求的刷新请求,虽然我想我记得读过,刷新令牌只有一次有效......?!)
The thing is: I don't want to make it the client responsiblity to catch token expired exception and re-authenticate or schedule a refresh prior to token expiration. I want the token to refresh itself until it is not used any more for a limited amount of time - just like a session. (I also wouldn't like it to issue a refresh request with every "data" request, though I think I remember reading, a refresh token is only valid once..?!)
有没有办法在spring security中做到这一点,还是我必须构建一些自定义的令牌存储实现或我选择的任何部分?
Is there a way to do that in spring security or will I have to build some custom implementation of the token store or whatever part I choose?
因为我我真的没有找到答案(因此是帖子)我想:也许这样做是不明智的,尽管我不明白为什么。如果我可以窃取令牌,我也可以窃取刷新令牌。所以我想我真的没有看到首先有刷新令牌的重点..
Since I can't really find an answer (hence the post) I'm thinking: Maybe it is not wise to do this, though I can't think why. If I can steal the token, I can steal the refresh token as well. So I guess I don't really see the point in having a refresh token in the first place..
编辑
为了回应Luke Taylor的回答,我将澄清我们的用例。
In response to Luke Taylor's answer I'll clearify our use case.
- 我们有一个REST服务器,可以保存像人一样的应用程序数据。但也提供访问我们的内容管理,并允许客户发布到Facebook。它封装了应用程序逻辑和数据存储。
- 我们已经有一个完全成熟的客户端应用程序,它有自己的安全层,只需通过客户端凭据流访问我们的REST服务器上的数据。谁可以在客户端做出决定
- 我们有几个中小型应用程序,如Facebook上的联系人应用程序,也使用客户端凭据访问REST服务器上的数据
- 我们现在正在开发一个客户端应用程序,只使用javascript访问REST层来完成大客户端应用程序所做的所有事情,但也需要提供一种方法来验证个人用户并允许多租户。因此,这个新的客户端应用程序使用用户名密码授予进行身份验证和方法级别的安全性来授权用户
- We have a REST server that holds application data like persons. but also provides access to our content management and allows clients to post to facebook. It encapsulates application logic and data storage
- We have a fully fledged client application already in place that has its own security layer and justs accesses the data on our REST server via client credentials flow. Who can do what is decided on the client side
- We have several medium and small applications like a contact app on facebook that access the data on the REST server also using client credentials
- We are now developing a client application using only javascript that will access the REST layer to do all the stuff the big client application does but also needs to provide a means to authenticate individual users and allow multi tenancy. Therefore this new client application uses the username-password grant to authenticate and method level security to authorize the users
所以我们有一个REST服务器这需要提供对我们可信赖的应用程序的完全访问权限,该应用程序执行自己的安全性工作,同一服务器需要为我们的新多租户javascript客户端应用程序的用户提供访问权限。在生产中,我们将有几个REST服务器,每个服务器都有自己的数据库,但核心总是相同,所以理论上一个服务器应该能够处理所有。
So we have a REST server that needs to provide complete access to our trusted application that does its own security stuff and that same server needs to provide access for users of our new multi tenancy javascript client application. In production we will have several REST servers each with its own database but the core will always be the same, so in theory one server should be able to handle all.
推荐答案
我希望令牌能够刷新,直到它在有限的时间内不再使用 - 就像会话一样
I want the token to refresh itself until it is not used any more for a limited amount of time - just like a session
这实际上没有意义(在OAuth2上下文中)。访问令牌由授权服务器发出,授权服务器决定其有效期。它在资源服务器上使用,资源服务器可能与授权服务器完全分开,因此OAuth2中没有任何工具可以将使用与令牌的生命周期连接起来。理论上可以将一些东西放在一起使其成功,但这听起来不错。
This doesn't really make sense (in an OAuth2 context). The access token is issued by the authorization server, which decides how long it is valid for. It is "used" at a resource server, which may be completely separate from the authorization server, so there is no facility in OAuth2 to connect usage with the lifetime of the token. It would in theory be possible to hack something together which made this work, but it sounds like a bad idea.
如果我可以窃取令牌,我也可以窃取刷新令牌。所以我想我真的没有看到首先有刷新令牌的重点..
If I can steal the token, I can steal the refresh token as well. So I guess I don't really see the point in having a refresh token in the first place..
使用访问令牌反复并由客户端发送到授权服务器以外的服务器。刷新令牌由客户端保留,仅发送回授权服务器。客户端还必须进行身份验证才能成功使用刷新令牌,因此客户端ID和密码也必须被泄露。
The access token is used repeatedly and sent by the client to servers other than the authorization server. The refresh token is retained by the client and only sent back to the authorization server. A client also has to authenticate to successfully use a refresh token, so the client id and secret would also have to be compromised.
从你的问题中你不清楚为什么你这么做正在使用OAuth2。您应该扩展您的问题以澄清这一点。如果只有一个客户端和一个REST服务器,为什么不通过HTTPS使用像BASIC auth这样的东西?
It's not really clear from your question why you are using OAuth2. You should probably expand your question to clarify this. If there is only one client and a REST server, why not just use something like BASIC auth over HTTPS?
此外,客户端是基于浏览器的应用程序吗?如果是这样,用户名/密码授权不适合在不受信任的客户端中使用。
Also, is the client a browser-based app? If so, the username/password grant isn't really suitable for use in an untrusted client.
这篇关于可以/应该使用spring security中的每个请求刷新OAuth2令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
