在基于令牌的身份验证中使用刷新令牌是否安全? [英] Using Refesh Token in Token-based Authentication is secured?
问题描述
我正在构建基于令牌的身份验证(Node.js使用带有角度客户端的通行证/JWT).
I am building a token based authentication (Node.js using passport/JWT with an angular client).
用户输入凭据后,他将获得一个访问令牌,该令牌将在标头(标头:不记名令牌)内的每个请求中发送.
After the user enter his credentials he gets an access token, which he sends in every request inside the header (header: bearer TOKEN).
我不想每次他的访问令牌过期时都提示登录请求(我想大概是每天), 我听说过刷新令牌.刷新令牌永远不会过期(或很少过期),并且能够无限期地续签令牌.当访问令牌即将过期时,客户端可以发送续订请求以通过发送其刷新令牌来获取新的访问令牌.
I don't want to prompt a login request everytime his access token expires (about everyday I guess), I've heard about the Refresh Tokens. The refresh token never expires (or rarely expires) and able to renew tokens indefinitely.When the access token is about to expire, the client can send a renew request to get a new access token by sending his refresh token.
我不太明白,可能会缺少一些东西:
I don't understand few things, I might be missing something:
-
长寿/永不过期的刷新令牌不会破坏短寿的安全性 访问令牌.
How a long-living/never expiring refresh tokens don't ruin the security of having short-living access tokens.
Cookie可以被偷走并一直使用到它们过期为止.代币寿命短,因此更安全, 但是如果我提供了一个长期有效的刷新令牌,那么我将失去使用令牌的优势.
Cookies can be stole and be used until they expire. Tokens are short living so they more secured, but if I provide a long-living refresh token I lose the advantage of using tokens.
注意:我知道刷新令牌是在初始登录时发送的,因此不能在每个请求中被欺骗,但是如果在初始请求中被欺骗,则它们很容易受到攻击.
NOTE: I am aware that the refresh tokens are sent at the initial login, so cann't be spoofed in every request, but if they are spoofed at the initial request they are vulnerable.
推荐答案
刷新令牌在与访问令牌不同的路径上呈现:访问令牌仅被呈现给资源服务器,刷新令牌仅被呈现给资源服务器到授权服务器.访问令牌可以是自包含的,因此它不需要对授权服务器进行昂贵的调用来检查其有效性,但是可以减轻丢失并提高准确性(万一出了问题不能撤消),因此它是短暂的.刷新令牌的寿命很长,并且在每次对授权服务器的调用中都会得到验证,因此可以将其撤销.两者的结合使系统安全.
The refresh token is presented on a different path than the access token: the access token is only ever presented to the Resource Server, the refresh token is only ever presented to the Authorization Server. The access token can be self-contained so that it does not need costly calls to the Authorization Server to check its validity, but to mitigate loss and to increase accuracy (it cannot be revoked in case something goes wrong) it is short-lived. The refresh token is long lived and gets validated on each call to the Authorization Server and as such it can be revoked. The combination of the two makes the system secure.
这篇关于在基于令牌的身份验证中使用刷新令牌是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
