如何使用PKCE授权流程注销? [英] How to log out using PKCE authorization flow?

问题描述

如果我有一个 app 和一个 api .如果 app 通过授权服务器登录并随每个请求发送 authorization:Bearer xxx 标头，则 api 可以在本地验证令牌.当用户注销(通过auth服务器)，但是如果有人检索到此令牌时，令牌尚未过期，他们将能够发出请求(如果对令牌是在服务器上本地完成的)，对吗?如果是这样，为什么这样的注销流程被认为是安全的?

If I have an app and an api. If the app logs in through authorization server and sends the authorization: Bearer xxx header with each request, the api can verify the token locally. When the user logs out (through the auth server), but the token has not yet expired if someone retrieves this token they will be able to make requests (if the authentication of the token is done locally on the server), is that correct? If thats the case, why is such a logout flow considered secure?

阐明主要问题:如果用户注销其访问令牌仍然有效(为什么要进行本地令牌验证)，为什么PKCE流程被认为是安全的

Clarifying the main question: why PKCE flow is considered secure if when a user logs out their access token is still valid (given we do local token verification)

推荐答案

行为概述

与较旧的独立网络应用程序相比，使用OAuth可以将关注点分离的程度更大:

With OAuth there is a greater separation of concerns than in older standalone web apps:

• 您登录UI
• 这已被外部化到授权服务器
• 颁发的访问令牌的生命周期固定/较短
• 访问令牌用作API消息凭据
• 访问令牌可能会发送到其他组件并从那里使用

注销时:

• 您从应用程序中删除令牌
• 您重定向到告诉授权服务器，该用户不再登录到任何UI
• 这不会使访问令牌无效

令牌存储

令牌应存储在专用存储器或受保护的存储器中，以使攻击者无法轻松访问它们.然后，您的应用会在注销过程中删除令牌，以使攻击者无法再使用令牌.

Tokens should be stored in private memory or protected storage so that attackers cannot access them easily. Your app then removes tokens as part of the logout process so that they are no longer available for attackers to try to access.

威胁

OAuth威胁模型中有关于被盗令牌的部分，建议使用以上存储空间并保持令牌短暂存在的位置.行业最常见的访问令牌默认值为60分钟.

The OAuth Threat Model has a section on stolen tokens, where it recommends the above storage and to keep tokens short lived. The most common industry default for an access token is 60 minutes.

恶意方窃取令牌的主要风险是通过跨站点脚本编写.XSS风险与注销无关.应该定期执行安全测试，以确保减轻XSS风险.

The main risk of a malicious party stealing a token is via cross site scripting. XSS risks are not related to logout. Security testing should be performed regularly to ensure that XSS risks are mitigated.

安全与性能之间的平衡

UI可能会告诉授权服务器吊销了令牌.但是，API然后需要在每个API请求上调用授权服务器以检查令牌吊销.这会导致性能不佳.

It may be possible for the UI to tell the Authorization Server that a token is revoked. However, the API would then need to call the Authorization Server on every API request to check for token revocation. This would lead to poor performance.

API体系结构

我一直希望在文档中使用声明缓存并进行自省OAuth安全的API，因为它可以提供实际的API最佳控制，以及良好的可扩展性和性能.

I always aim to use Claims Caching and introspection in OAuth secured APIs, since it gives the actual API best control, along with good extensibility and performance.

有了这个选项，如果您真的想使注销后的访问令牌不可用，而又不影响性能，那么您的UI可以在注销过程中执行以下操作:

With this in place, if you really wanted to make access tokens non usable after logout, without ruining performance, your UI could perform these actions as part of the logout process:

• 在授权服务器上撤消访问令牌(如果支持)
• 调用API要求其删除访问令牌的缓存声明

这篇关于如何使用PKCE授权流程注销?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！