JWT refresh_token有什么用? [英] What goes into a JWT refresh_token?

问题描述

我根据网上发现的一些示例为Asp.net Core REST服务构建了一些JWT中间件.我得到的响应看起来像:

I built some JWT middleware for my Asp.net Core REST service based on some examples I found online. I get that the response looks like:

{
   "access_token":"...",
   "expires_in":3600,
   "refresh_token":"???",
   "token_type": "Bearer",
}

我了解如何创建access_token:

I understand how to create access_token:

Claim[] claims = new Claim[]
{
    new Claim(JwtRegisteredClaimNames.Sub, strUsername),
    new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
    new Claim(JwtRegisteredClaimNames.Iat, dtNow.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64)
};

JwtSecurityToken jwtAccess = new JwtSecurityToken(_options.Issuer, _options.Audience, claims, dtNow.DateTime,
                                                  dtNow.DateTime.Add(_options.AccessTokenExpiration), _options.SigningCredentials);

问题是如何创建refresh_token?我搜索过很多东西，但找不到很多文档.基本上每个参考文献都说它是一个存储在具有更长TTL的数据库中的令牌，您可以从中创建一个新的access_token".

The question is how do I create refresh_token? I have searched high and low and can't find much documentation on it. Basically all every reference says is "its a token stored in a database with a longer TTL that you can create a new access_token from".

那么refresh_token是否与access_token完全相同，只是具有更长的TTL和针对数据库验证的额外步骤?

So is a refresh_token the same exact thing as access_token with just the longer TTL and the additional step that its validated against the database?

我见过的一些示例JWT响应似乎refresh_token要短得多.我的access_token使用RSA515使用证书进行了签名，因此该字符串有点长...

Some of the example JWT responses I've seen seem like the refresh_token is much shorter. My access_token is signed with a certificate using RSA515, so the string is kinda long...

推荐答案

现在，我个人的刷新令牌只是具有更长TTL的JWT，还有更多信息可以帮助我验证资源所有者.

Now personally my refresh tokens are just JWTs with longer TTL and a little more information that help me verify the resource owner.

看看下面来自Auth0的文章，它支持链接

Take a look at the following article from Auth0 and it support links

https://auth0.com/docs/tokens/refresh_token

它甚至可能是一个简单的GUID，用于将用户/客户端映射到令牌，其中到期时间也与令牌一起存储在数据库中.

It could even be a simple GUID used to map user/client to token where the expiry time is also stored in the database along with the token.

以下示例来自上面的链接，在该链接中，他们使用类似于Guid的刷新令牌.

The following example is from the link sited above where they use what looks like a Guid for the refresh token.

例如，假设有一个用户"test"和密码"test" 以及带有客户端机密秘密"的客户端"testclient"， 请求新的访问令牌/刷新令牌对，如下所示:

So, for instance, assuming there is a user 'test' with password 'test' and a client 'testclient' with a client secret 'secret', one could request a new access token/refresh token pair as follows:

$ curl -X POST -H 'Authorization: Basic dGVzdGNsaWVudDpzZWNyZXQ=' -d 'grant_type=password&username=test&password=test' localhost:3000/oauth/token

{
    "token_type":"bearer",
    "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiVlx1MDAxNcKbwoNUwoonbFPCu8KhwrYiLCJpYXQiOjE0NDQyNjI1NDMsImV4cCI6MTQ0NDI2MjU2M30.MldruS1PvZaRZIJR4legQaauQ3_DYKxxP2rFnD37Ip4",
    "expires_in":20,
    "refresh_token":"fdb8fdbecf1d03ce5e6125c067733c0d51de209c"
}

令牌过期后，他们将通过刷新令牌进行呼叫以获取新的访问令牌.

Once their token has expired they make a call passing the refresh token to get a new access token.

现在我们可以使用刷新令牌通过点击来获取新的访问令牌 令牌端点如下:

Now we can use the refresh token to get a new access token by hitting the token endpoint like so:

curl -X POST -H 'Authorization: Basic dGVzdGNsaWVudDpzZWNyZXQ=' -d 'refresh_token=fdb8fdbecf1d03ce5e6125c067733c0d51de209c&grant_type=refresh_token' localhost:3000/oauth/token

{
    "token_type":"bearer",
    "access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiVlx1MDAxNcKbwoNUwoonbFPCu8KhwrYiLCJpYXQiOjE0NDQyNjI4NjYsImV4cCI6MTQ0NDI2Mjg4Nn0.Dww7TC-d0teDAgsmKHw7bhF2THNichsE6rVJq9xu_2s",
    "expires_in":20,
    "refresh_token":"7fd15938c823cf58e78019bea2af142f9449696a"
}

安全注意事项

刷新令牌是长期存在的.这意味着当客户从 服务器上，必须安全地存储此令牌，以防止其被他人使用 由潜在的攻击者使用，因此存储不安全 它们在浏览器中.如果刷新令牌泄漏，则可以将其用于 获取新的访问令牌(和访问受保护的资源)，直到获得 列入黑名单或过期(可能需要很长时间).刷新 令牌必须颁发给单个经过身份验证的客户端，以防止使用 其他方泄漏的代币.访问令牌也必须保留 机密，但由于使用寿命较短，因此安全方面的考虑较少 关键.

Refresh Tokens are long-lived. This means when a client gets one from a server, this token must be stored securely to keep it from being used by potential attackers, for this reason it is not safe to store them in the browser. If a Refresh Token is leaked, it may be used to obtain new Access Tokens (and access protected resources) until it is either blacklisted or it expires (which may take a long time). Refresh Tokens must be issued to a single authenticated client to prevent use of leaked tokens by other parties. Access Tokens must also be kept secret, but due to its shorter life, security considerations are less critical.

这篇关于JWT refresh_token有什么用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！