OAuth客户端凭据流程-刷新令牌 [英] OAuth Client Credential Flow - Refresh Tokens
问题描述
场景
我最近建立了一个ASP.NET WEB API
,并使用OAuth
承载访问令牌保护了其资源.
I've recently built an ASP.NET WEB API
, and have protected its resources using OAuth
Bearer Access Tokens.
我使用了Client_Credentials
流,因为它将由客户端而不是用户访问.
I've used the Client_Credentials
Flow, as it will be accessed by clients as opposed to users.
在这里,当客户成功提供client_id
和client_secret
时,他们将收到如下响应:-
Here's the thing, when a client has successfully provided the client_id
and the client_secret
they receive a response like the following :-
{
"access_token": "<Access Token>",
"token_type": "bearer",
"expires_in": 1199,
"refresh_token": "<Refresh Token>"
}
刷新令牌.
对刷新令牌了解不多,我立即假设客户端将能够向OAuth服务器提供refresh_token
来检索新的Access_Token
.
Not knowing much about refresh tokens, i immediately assumed that a client would be able to provide the OAuth Server the refresh_token
to retrieve a fresh Access_Token
.
这是正确的.
为了使用refresh_token
,客户端仍然需要将client_id
和client_secret
以及refresh_token
一起传递,以获得新的访问令牌.
In order to use the refresh_token
the client still needs to pass the client_id
and client_secret
along with the refresh_token
to get a new access token.
grant_type
也需要更改为refresh_token
.
使用此流程进行refresh_token有何好处?如果我每次都需要传递client_id和client_secret,那么您肯定会避免完全使用刷新令牌吗?
Where is the benefit of a refresh_token using this flow? If I need to pass the client_id and client_secret each time, surely you would just avoid using a refresh token altogether?
推荐答案
使用客户端凭证授予的刷新令牌的发行没有好处.
这就是为什么 RFC6749第4.4.3节表示A refresh token SHOULD NOT be included
的原因.因此,其发行是由授权服务器决定的.
The issuance of a refresh token with the client credential grant has no benefit.
That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included
. Thus its issuance is at the discretion of the authorization server.
从我的角度来看,授权服务器永远不要使用客户端凭据授予来发布刷新令牌,因为访问令牌发布过程将采取额外且不必要的步骤:
From my point of view an authorization server should never issue a refresh token with the client credentials grant as the access token issuance process will take an additional and unnecessary step:
具有client_credentials授予类型的发放:
Issuance with the client_credentials grant type:
- 第一步:客户端身份验证(客户端机密,声明...)
- 确定访问令牌已发出
具有refresh_token授予类型的发放:
Issuance with the refresh_token grant type:
- 第一步:客户端身份验证(客户端机密,声明...)
- 第二步:刷新令牌验证(到期时间,关联的客户端...)
- 确定访问令牌已发出
这篇关于OAuth客户端凭据流程-刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!