OAuth2刷新令牌。如何在客户端存储它 [英] OAuth2 Refresh Token. How to store it on client-side

问题描述

授权OAuth2服务器以获取访问权限+刷新令牌。
据我所知，访问令牌可以存储在客户端上，因为它有短暂的直播圈。但刷新令牌可以存储在那里吗？根据我读过的信息，没有安全的方法来（这里）

There is Authorization OAuth2 Server to get access+refresh token. As far as i understand, access token can be stored on client-side, because it has short live circle. But can refresh token be stored there? According information that I've read, there is no secure way to do it(here)

所以，我必须实现单独的服务器端服务，只需存储刷新令牌。

So, I have to implement separate server-side service, just to store refresh token.

我是对的吗？ 存储刷新令牌只是一种可能的方法吗？

Am I right? Is it only one possible way to store refresh token?

P.S。客户端：angularJS

P.S. Client-side: angularJS

推荐答案

是的，你是对的。如果您无法通过授权服务器进行身份验证（即传递客户端ID和密码），那么您将只获得一个短期访问令牌。

Yes you are right. If you cannot authenticate with the Authorisation server (i.e. pass client ID and secret) then you will only get a short-lived access token.

因为Angular代码在客户端上保密客户是不安全的。因此，您无法将您的客户端密钥传递给Auth服务器，因此您无法进行身份验证。

As Angular code is on the client it would be insecure for it to hold your client secret. Therefore you can not pass your client secret to the Auth server, so you can not authenticate.

此外，您的服务器代码不会只存储令牌，它会被期望托管一个端点，该端点接受授权代码，然后使用该代码（和您的客户端凭证）调用Auth服务器以获取令牌和刷新令牌。

Also your server code would not just store a token, it would be expected to host an endpoint which would accept an auth code and then call the Auth server with that code (and your client credentials) to get a token and refresh token.

在用户成功登录并允许用户授予对您应用的访问权限后，auth代码将通过来自auth服务器的呼叫通过http重定向提供给您的服务器端点。

The auth code would be supplied to your server endpoint via a call from the auth server via an http redirect following successful user login and user granting access to your app.

这篇关于OAuth2刷新令牌。如何在客户端存储它的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！