为什么OAuth v2既具有访问令牌又具有刷新令牌? [英] Why Does OAuth v2 Have Both Access and Refresh Tokens?
问题描述
OAuth 2.0协议草案的第4.2节指出,授权服务器可以返回 access_token (用于通过资源对自己进行身份验证)以及 refresh_token ,仅用于创建新的 access_token :
Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new access_token:
https://tools.ietf.org/html/rfc6749#section-4.2
为什么两者都有?为什么不让 access_token 持续到只要 refresh_token 而没有 refresh_token ?
Why have both? Why not just make the access_token last as long as the refresh_token and not have a refresh_token?
推荐答案
刷新令牌的想法是,如果访问令牌被破坏,则它很短
The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.
刷新令牌(如果遭到破坏)是无用的,因为攻击者除了需要客户端ID和密码之外,还没有其他用途。
Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.
话虽如此,因为对授权服务器和资源服务器的每次调用都是通过SSL完成-包括原始客户端ID和当他们请求访问/刷新令牌时的秘密-我不确定访问令牌与长寿的刷新令牌和clientid /秘密组合相比是否更容易让人感到困惑。
Having said that, because every call to both the authorization server and the resource server is done over SSL - including the original client id and secret when they request the access/refresh tokens - I am unsure as to how the access token is any more "compromisable" than the long-lived refresh token and clientid/secret combination.
这当然与您不能同时控制两个授权的实现不同
This of course is different to implementations where you don't control both the authorization and resource servers.
这里是讨论刷新令牌使用的好线程:OAuth存档。
Here is a good thread talking about uses of refresh tokens: OAuth Archives.
上面的引言,谈到了刷新令牌的安全性目的:
A quote from the above, talking about the security purposes of the refresh token:
刷新令牌...可以减轻access_token长期泄漏的风险(不安全资源服务器上日志文件中的查询参数, beta版或编码不正确的资源服务器应用程序,非https站点上的JS SDK客户端,将access_token放在cookie中,等等)
Refresh tokens... mitigates the risk of a long-lived access_token leaking (query param in a log file on an insecure resource server, beta or poorly coded resource server app, JS SDK client on a non https site that puts the access_token in a cookie, etc)
这篇关于为什么OAuth v2既具有访问令牌又具有刷新令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
