“刷新令牌"的目的是什么? [英] What is the purpose of a "Refresh Token"?
问题描述
我有一个与YouTube Live Streaming API集成的程序.它运行在计时器上,因此我编程起来相对容易,每隔50分钟使用刷新令牌来获取一个新的访问令牌.我的问题是,为什么?
I have a program that integrates with the YouTube Live Streaming API. It runs on timers, so its been relatively easy for me to program in to fetch a new Access Token every 50 minutes with a Refresh Token. My question is, why?
当我通过YouTube进行身份验证时,它给了我一个刷新令牌.然后,我使用此刷新令牌大约每小时获取一次新的访问令牌.如果我有刷新令牌,由于它永不过期,我可以始终使用它来获取新的访问令牌.因此,除了从一开始就给我访问令牌并且不打扰整个刷新令牌"系统,我看不出这有什么安全性.
When I authenticated with YouTube, it gave me a Refresh Token. I then use this refresh token to get a new Access Token about once an hour. If I have the Refresh Token, I can ALWAYS use this to get a new Access Token, since it never expires. So I don't see how this is any more secure than just giving me an Access Token from the start and not bothering with the whole Refresh Token system.
推荐答案
基本上,刷新令牌用于获取新的访问令牌.
Basically, refresh tokens are used to get new access token.
为清楚地区分这两个标记并避免混淆,以下是它们在中给出的功能OAuth 2.0授权框架:
To clearly differentiate these two tokens and avoid getting mixed up, here are their functions given in The OAuth 2.0 Authorization Framework:
- 访问令牌由授权服务器在资源所有者的批准下颁发给第三方客户端.客户端使用访问令牌访问资源服务器托管的受保护资源.
- 刷新令牌是用于获取访问令牌的凭据.授权服务器将刷新令牌发布给客户端,并在当前访问令牌变为无效或过期时用于获取新的访问令牌,或者用于获取范围相同或范围较小的其他访问令牌.
- Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.
- Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope.
现在,要回答有关为何仍向您颁发刷新令牌而不只是保护访问令牌的问题,这是Internet工程任务组在
Now, to answer your question on why you were still being issued a refresh token instead of just securing an access token, the main reason provided by Internet Engineering Task Force in Refresh tokens is:
出于安全原因,
refresh_token仅与授权服务器交换,而access_token与资源服务器交换.这样可以缓解"access-token长期泄漏"在一个小时的访问令牌有效,刷新令牌为一年或有效期已到期"与未刷新的有效令牌访问"中泄漏的风险.令牌."
There is a security reason, the
refresh_tokenis only ever exchanged with authorization server whereas theaccess_tokenis exchanged with resource servers. This mitigates the risk of a long-lived access_token leaking in the "an access token good for an hour, with a refresh token good for a year or good-till-revoked" vs "an access token good-till-revoked without a refresh token."
有关OAuth 2.0 Flow的更详细和完整的信息,请尝试阅读以下参考资料:
For a more detailed and complete information of OAuth 2.0 Flow, please try going through the following references:
- OAuth 2.0 Flow: Server-side web apps
- The OAuth 2.0 Authorization Framework issued by Internet Engineering Task Force (IETF)
- SO post - Why Does OAuth v2 Have Both Access and Refresh Tokens?
这篇关于“刷新令牌"的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
