JWT刷新令牌流 [英] JWT refresh token flow
问题描述
我正在构建一个移动应用程序,并且正在使用JWT进行身份验证.
I'm building a mobile app and am using JWT for authentication.
似乎最好的方法是将JWT访问令牌与刷新令牌配对,以便我可以根据需要频繁地使访问令牌过期.
It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.
- 刷新令牌是什么样的?它是一个随机字符串吗?那个字符串被加密了吗?是另一个JWT吗?
- 刷新令牌将存储在用户模型上的数据库中以供访问,对吗?在这种情况下,似乎应该对其进行加密
- 我将在用户登录后将刷新令牌发送回去,然后让客户端访问一条单独的路由来检索访问令牌吗?
推荐答案
假定这与OAuth 2.0有关,因为它与JWT和刷新令牌有关……:
Assuming that this is about OAuth 2.0 since it is about JWTs and refresh tokens...:
-
就像访问令牌一样,刷新令牌原则上可以是任何内容,包括您描述的所有选项;当授权服务器想要无状态或想要对呈现它的客户端施加某种占有证明"语义时,可以使用JWT;请注意,刷新令牌与访问令牌的不同之处在于,刷新令牌不会呈现给资源服务器,而只会呈现给最初发布它的授权服务器,因此,针对JWTs-as-access-tokens进行的独立验证优化可以将刷新令牌提供给资源服务器.不保留刷新令牌
just like an access token, in principle a refresh token can be anything including all of the options you describe; a JWT could be used when the Authorization Server wants to be stateless or wants to enforce some sort of "proof-of-possession" semantics on to the client presenting it; note that a refresh token differs from an access token in that it is not presented to a Resource Server but only to the Authorization Server that issued it in the first place, so the self-contained validation optimization for JWTs-as-access-tokens does not hold for refresh tokens
,取决于数据库的安全性/访问权限;如果其他方/服务器/应用程序/用户可以访问该数据库,则可以(但是您的里程可能会随存储加密密钥的位置和方式而有所不同...)
that depends on the security/access of the database; if the database can be accessed by other parties/servers/applications/users, then yes (but your mileage may vary with where and how you store the encryption key...)
授权服务器可以同时发布访问令牌和刷新令牌,这取决于客户端用于获取访问令牌和授予令牌的权限;规范包含每个标准化赠款的详细信息和选项
an Authorization Server may issue both access tokens and refresh tokens at the same time, depending on the grant that is used by the client to obtain them; the spec contains the details and options on each of the standardized grants
这篇关于JWT刷新令牌流的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
