为什么将SPA的刷新令牌视为不安全? [英] Why are Refresh Tokens considered insecure for an SPA?
问题描述
我正在阅读Auth0网站上有关刷新令牌和SPA ,并且它们指出 SPA不应使用刷新令牌,因为它们不能安全地存储在浏览器中,而应使用静默身份验证来检索新的访问令牌。
I was reading the documentation on the Auth0 site regarding Refresh Tokens and SPA, and they state that SPA's should not use Refresh Tokens as they cannot be securely stored in a browser, and instead use Silent Authentication instead to retrieve new Access Tokens.
单页应用程序(通常实现隐式授予)在任何情况下都不应获得刷新令牌。这样做的原因是该信息的敏感性。您可以将其视为用户凭据,因为刷新令牌使用户可以永远保持身份验证。因此,您无法在浏览器中拥有此信息,必须将其安全地存储。
A Single Page Application (normally implementing Implicit Grant) should not under any circumstances get a Refresh Token. The reason for that is the sensitivity of this piece of information. You can think of it as user credentials, since a Refresh Token allows a user to remain authenticated essentially forever. Therefore you cannot have this information in a browser, it must be stored securely.
我很困惑。根据我的理解,检索新访问令牌的唯一方法是将新请求以及某种形式的Auth0会话cookie提交给Auth服务器,以对登录的用户进行身份验证。收到会话cookie时,Auth0服务器将能够发出新的访问令牌。
I'm confused. From my understanding, the only way to retrieve a new access token would be to submit a new request to the Auth server, along with some form of an Auth0 session cookie to authenticate the user that is logged in. Upon receiving the session cookie the Auth0 server would then be able to issue a new Access Token.
但是,与在浏览器或本地存储中具有刷新令牌有什么不同?是什么使会话Cookie比刷新令牌更安全?为什么在SPA中使用刷新令牌是一件坏事?
But how is that any different than having a Refresh Token in the browser or in the local storage? What makes the Session Cookie any more secure than a Refresh Token? Why is using a Refresh Token in an SPA a bad thing?
推荐答案
关于cookie和刷新令牌有很多误解和OAuth2。
There are a lot of misunderstandings about both cookies and refresh tokens and OAuth2.
首先,并不是唯一的机密客户端可以使用刷新令牌。 OAuth2协议说,机密客户端必须进行身份验证,但不需要机密客户端。因此,客户端身份验证在刷新操作中是可选的。请参见 RFC 6749,第6节,刷新访问令牌。
First, it is not true that only confidential clients can use a refresh token. The OAuth2 protocol says that confidential clients must authenticate, but does not require confidential clients. Ergo, client authentication is optional on the refresh operation. See RFC 6749, Section 6, Refreshing An Access Token.
第二,您必须了解其他选择:
Second, you have to understand what the alternatives are:
- 强制用户输入他或每5分钟(无论访问令牌何时过期)她的用户名和密码
- 长期存在的访问令牌
- 通过HTTP Cookies进行身份验证
世界上每个不使用刷新令牌的人都使用选项#3。通过cookie进行的身份验证在功能和安全方面均等同于存储刷新令牌,而且100%。当然,对于令牌和cookie,都有保留它们的位置的选择:
Everybody in the world, who doesn't use refresh tokens, uses option #3. Authentication via cookies is functionally and security-wise 100% equivalent to storing a refresh token. Of course, with both tokens and cookies, there are options for where they are kept:
a。仅HTTP,
b。安全(需要TLS / SSL)和
c。会话(在内存中)还是持久性(本地,域存储)
a. HTTP only, b. secure (require TLS/SSL) and c. session (in memory) vs. persistent (local, domain storage)
仅HTTP选项仅适用于cookie,因此,这可能是使用cookie的唯一优势令牌上的cookie。即令牌是通过Javascript处理的,因此无法选择使其远离脚本。也就是说,令牌仅可从存储Javascript的页面域中(或在CORS策略允许的情况下)用于Javascript。因此,这个问题可能被夸大了。
The "HTTP only" option applies only to cookies and, thus, may represent the only advantage of using cookies over tokens. I.e. tokens are handled via Javascript, so there's no option to keep them away from scripts. That said, the tokens are available only to Javascript from the domain of the page that stored it (or as allowed by CORS policy). So this issue can be overblown.
当然,必须谨慎使用 始终 传输身份验证Cookie或令牌。坦白地说,由于我们知道大多数违规行为都是在私有公司网络内部发生的,因此端到端TLS不再是基本要求。
Of course, care must be taken to always use TLS/SSL to transmit either authentication cookies or tokens. Honestly, since we know most breaches occur from within the private corporate network, end-to-end TLS is a basic requirement anymore.
最后,无论是cookie还是令牌, 永久,即保存在可以关闭浏览器甚至重启设备的地方,取决于您在可用性和安全性之间进行权衡-针对您的您的应用。
Finally, whether cookies or tokens are ever persisted, i.e. stored somewhere that survives closing the browser or even rebooting the device, depends on the trade-off you're making between usability and security - for your application.
对于需要更高安全性的应用程序,只需将所有内容保留在内存中(即会话cookie,Javascript变量中的令牌)。但是,对于不需要那么多安全性并且确实希望将会话期限定在几天或几周内的应用程序,则需要存储它们。无论哪种方式,只有原始域中的页面和脚本都可以访问该存储,因此cookie和令牌在功能上是等效的。
For applications that require a higher level of security, just keep everything in memory (i.e. session cookies, tokens in a Javascript variable). But for apps that don't require as much security and really want a session life on order of days or weeks, then you need to store them. Either way, that storage is accessible only to pages and scripts from the original domain and, thus, cookies and tokens are functionally equivalent.
这篇关于为什么将SPA的刷新令牌视为不安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
