如何确保刷新令牌？ [英] How to secure a refresh token?

问题描述

我正在使用JWT对我的应用程序的用户进行身份验证。用户登录时，将获得访问令牌和刷新令牌。为了确保刷新令牌的安全，我不将其存储在客户端，而是使用其帐户将其保存在后端，因此不容易使用。不过，我对刷新令牌的安全性感到困惑，这是我在阅读有关如何使用刷新令牌的在线资源时所理解的逻辑：

I'm using JWTs for authenticating users for my app. When a user logs in they are given an access token and a refresh token. To keep the refresh token safe, I don't store it on the client-side, but save it on the back-end with their account so it's not easy to access. I'm confused about the security of refresh tokens though, here's the logic that I'm understanding when I read online resources on how to use refresh tokens:

1. 验证


2. 将访问令牌+刷新令牌存储在某个位置（在我的情况下，在前端访问令牌，在后端刷新令牌）


3. 执行api请求时，请在api端验证访问令牌


4. 如果访问令牌已过期，请使用刷新令牌生成新的访问令牌+新的刷新令牌，将访问令牌发送回客户端


5. 像以前一样存储令牌...并重复

1. authenticate
2. store access token + refresh token somewhere (in my case, access token on the front-end and refresh token on the back-end)
3. when performing an api request, validate the access token on the api side
4. if the access token is expired, use the refresh token to generate a new access token + new refresh token, send access token back to client
5. store tokens as before... and repeat

我担心的安全性问题是，如果其他人（黑客）持有访问令牌，并且他们使用该令牌向api发送请求，如果令牌过期，则api将使用刷新令牌来获取新的访问令牌访问令牌+新的刷新令牌，并将至少访问令牌返回给黑客。

The security issue I'm worried about is if someone else (hacker) got a hold of the access token and they send a request to the api with it, if the token is expired the api will use the refresh token to get a new access token + new refresh token and return at least the access token to the hacker.

我阅读了此大约5-6次的文章，我读了 这篇文章以及有关该主题的其他一些文章，他们都在

I read this article about 5-6 times and I read this article a few times, as well as some other articles on the subject, they all say something along the lines of

确保安全保存刷新令牌，因为它的寿命很长，access_token的寿命很短，所以没什么大不了的

make sure to store the refresh token securely because it's long lived, the access_token is short lived so not as big of a deal

对于我上面描述的流程，访问令牌是否短暂并不重要，刷新令牌将用于获取新的访问令牌并永远具有访问权限。

But according to the flow I described above, it doesn't matter if the access token is short lived, the refresh token will be used to get a new access token and have access forever.

我缺少什么吗？如果黑客掌握了过期的访问令牌，则api如何知道谁在发送请求？仍然会使用刷新令牌发送一个新的令牌。我应该以某种方式验证发送请求的人吗？

Is there something I'm missing? How would the api know who is sending the request if a hacker got a hold of the expired access token? it will still send a new one using the refresh token. Am I supposed to somehow validate who is sending the request?

UPDATE

所以我知道，当请求新的访问令牌时，我需要发送刷新令牌，客户端ID和客户端密码。我遇到的问题是，像以前一样，黑客可以将请求发送到我的API服务器，服务器从黑客那里获取被劫持的访问令牌，它将看到该令牌已过期，因此它将发送刷新令牌以及客户端ID /客户端密钥（作为环境变量存储）到Auth API，并获取新的访问令牌/刷新令牌，这使我们又回到了同样的问题。

So I do understand that when a new access token is requested, I need to send over the refresh token, the client ID, and the client secret. The issue I have with that is, like before, the hacker can send a request to my API server, the server gets the hijacked access token from the hacker, it will see that it's expired, so it will send the refresh token, along with the clientID/client secret (which are stored as environment variables) to the Auth API and get back a new access token / refresh token, which brings us back to the same issue.

更新2

关于此问题的一些有趣的问题：

some interesting questions on the subject:

1. 为什么OAuth v2既具有访问令牌又具有刷新令牌？


2. https://security.stackexchange.com/questions/87119/how-secure-are-expiring-tokens-和刷新令牌

1. Why Does OAuth v2 Have Both Access and Refresh Tokens?
2. https://security.stackexchange.com/questions/87119/how-secure-are-expiring-tokens-and-refresh-tokens

根据第二个问题和答案，似乎刷新令牌不是更多维护访问权限的一种安全方法，只是因为更容易检测到黑客，因为auth / refresh令牌不断得到请求，并使其他令牌无效。问题是，只有2个用户同时尝试访问资源时，才会发生这种情况-如果只有黑客在给定的时间段内处于活动状态，则他将无限制地访问原始用户的数据，直到原始用户尝试使用应用程序并访问受保护的资源

according to the second question and answer, it seems like the refresh token is not a more secure way to maintain access, it's just that it's easier to detect a hacker because auth/refresh tokens keep getting requested and invalidating the other's tokens. The issue with this is this will only happen if 2 users are simultaneously trying to access resources - if only the hacker happens to be active at a given time period, he will have unlimited access to the original users data until the original user tries to use the app and access protected resources

推荐答案

基本上，在基于浏览器的应用程序中使用刷新令牌似乎是个坏主意。刷新令牌适用于可以将刷新令牌安全地存储在电话中的移动应用程序-手机具有某种安全存储机制，而浏览器则没有。

Basically, it seems like a bad idea to use refresh tokens with browser based apps. Refresh tokens are meant for mobile apps where the refresh token can be stored securely on the phone - phones have some sort of secure storage mechanism, whereas browsers do not.

这篇关于如何确保刷新令牌？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！