OpenID连接会话管理-可以撤销ID令牌吗? [英] OpenID Connection session management - can ID token be revoked?

问题描述

在OpenID Connect中，ID令牌是经过加密签名的自包含令牌，该令牌使资源所有者无需调用授权服务器即可授权访问.因此，如果不需要授权服务器来验证令牌，那么如何在会话管理方案中将其吊销?似乎唯一可以撤销的是刷新令牌，此时ID令牌将过期，用户将不得不重新进行身份验证.这样对吗?另外，对于OpenID Connect提供程序/服务器来说，在将令牌交出时完全存储令牌是否有意义?

In OpenID Connect, the ID token is a cryptographically signed, self-contained token which allows resource owners to authorize access without a call to the authorization server. So, if the Authorization server isn't necessary to validate the token, how can it be revoked in a session management scenario? It seems like the only thing that can be revoked is the refresh token at which point the ID token would just expire and the user would have to reauthenticate. Is this correct? Also, does it even make sense for OpenID Connect Provider/Server to store the token at all as it hands it off?

推荐答案

由于您提到的原因，id_token不能被明确撤销:它是独立的，可以在不依赖提供程序的情况下使用.但是，Web应用程序中的典型用法是在接收到时使用id_token创建应用程序会话，将id_token中的相关信息存储在会话中，然后丢弃id_token本身.通过实施OpenID Connect会话管理扩展，可以应提供商的要求终止该应用程序会话，请参见:

The id_token cannot be explicitly revoked because of the reasons that you mention: it is self-contained and can be used without dependency on the Provider. However, a typical usage in web applications is to use the id_token upon receipt to create an application session, store the relevant information from the id_token in the session and then to discard the id_token itself. That application session can be terminated upon request from the Provider by implementing the OpenID Connect Session Management extension, see: https://openid.net/specs/openid-connect-session-1_0.html. In this web SSO use case the id_token lifetime would be limited since it is one-time usage only.

这篇关于OpenID连接会话管理-可以撤销ID令牌吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！