OpenID Connect中ID令牌到期时间的目的是什么? [英] What is intent of ID Token expiry time in OpenID Connect?
问题描述
在OpenID Connect中,访问令牌具有到期时间.对于授权码流,这通常很短(例如20分钟),之后您可以使用刷新令牌来请求新的访问令牌.
In OpenID Connect an access token has an expiry time. For authorization code flow, this is typically short (eg 20 minutes) after which you use the refresh token to request a new access token.
ID令牌也有一个到期时间.我的问题是这是什么目的?
The ID token also has an expiry time. My question is what is the intent of this?
任何ID令牌的到期时间都小于刷新令牌的到期时间,这意味着您最终将拥有一个过期的ID令牌,但是一个有效的访问令牌.
Any ID token expiry time less than the expiry time of the refresh token will mean you will eventually have an expired ID token, but a valid access token.
您是打算这样做吗?
- 让您的ID令牌的有效期比刷新令牌的有效期长,或者
- 将其设置为与访问令牌相同的到期时间,并在其过期时采取一些措施(做什么?),或者
- 仅在接收客户时使用ID令牌,然后忽略此后的到期时间?
OpenID Connect规范只是说,在验证ID令牌
The OpenID Connect specification just says that when validating an ID token,
"The current time MUST be before the time represented by the exp Claim."
(可能)支持上面的第三个选项.
which (possibly) supports the third option above.
编辑
由于OpenID Connect基于OAuth2构建,因此可以在 OAuth2规范,其中,
As OpenID Connect builds on OAuth2 the answer to the supplementary question below can be found in the OAuth2 specification which says,
expires_in
RECOMMENDED. The lifetime in seconds of the access token.
一个相关的问题是,当您交换令牌的授权代码时,同一规范说您可能会收到诸如以下的响应:
A related question is when you exchange an authorization code for the tokens, the same specification says you might get a response such as:
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJhbG[...]"
}
但是在这种情况下,"expires_in"与什么有关?访问令牌,刷新令牌还是ID令牌?
But what does "expires_in" relate to in this case? The access token, the refresh token or the ID token?
(有关信息, IdentityServer3 将其设置为访问令牌的有效时间). /p>
(For information, IdentityServer3 sets this to the access token expiry time).
推荐答案
我正在回答自己的问题,因为发现我的问题背后的某些假设是错误的,因此在这里更容易澄清,而不是重写问题.
I'm answering my own question as have discovered that some of the assumptions behind my question were wrong, so easier to clarify here, rather than re-write the question.
ID令牌用于向客户端证明用户已通过身份验证,并由此证明他们是谁.
An ID token is meant for proving to a Client that the user has authenticated, and who they are as a result.
客户收到ID令牌后,通常会执行类似将其转换为ClaimsIdentity的操作,并例如使用cookie对其进行持久化.
When a Client receives an ID token, it will generally do something like convert it to a ClaimsIdentity, and persist this, eg using a cookie.
在使用时,ID令牌必须是未过期的(应该是有效的,因为它刚刚被发行了).但是此后不再使用,因此它是否过期都无关紧要,而用户仍处于活动会话中.客户端具有所需的身份验证信息,然后可以选择自己的策略来确定会话在用户必须再次登录之前的持续时间.
The ID token has to be un-expired at this point of use (which it should be, since it has just been issued). But after this it is not used again, so it does not matter if it expires while the user still has an active session. The Client has the authentication information it needs, and in turn can choose its own policy for how long the session lasts before the user has to log in again.
问这个问题时,我的错误假设是ID令牌和访问令牌应同时使用,因此两者都必须具有有效的到期日期.出于各种原因,这是错误的:
My wrong assumption when asking the question was that an ID token and access token should be used together, and therefore both needed to have valid expiry dates. This is wrong for various reasons:
- ID令牌仅用于向客户端进行身份验证(如上所述).
- 访问令牌与客户端无关.它们用于访问资源,并且只有在客户又需要调用资源时,客户端才会处理它们.
- 像独立的MVC或WebForms应用程序一样,仅 需要ID令牌.如果它不是在调用外部资源,则没有任何东西可以授予访问权限,因此也没有访问令牌.
- ID tokens are only for authenticating to a Client (as described above).
- Access tokens have nothing to do with Clients. They are for access to resources and a Client only handles them if it in turn needs to call an resource.
- Something like a standalone MVC or WebForms application only needs an ID token. If it isn't calling an external resource, there is nothing to grant access to, so no access token.
这篇关于OpenID Connect中ID令牌到期时间的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
