为什么刷新令牌应保存在服务器端? [英] Why should refresh tokens be saved in the server side?

问题描述

我了解访问令牌通常不会保存在服务器端，而只是使用某种算法的密钥进行了验证.但是，似乎正常的行为是在服务器端(即数据库)中保存刷新令牌，并在用户尝试刷新其访问令牌时将其与用户的令牌进行比较.我的问题是，为什么不只是以验证访问令牌的方式验证刷新令牌?

I understand that access tokens are not saved at the server side (usually) and are just verified using some key an algorithm. However, it seems that the normal behavior is to save a refresh token in the server side(i.e:database) and compare it with the user's when the user is trying to refresh their access token. My question is why not just verify the refresh token the same way the access token was verified?

推荐答案

如果令牌是针对数据库验证的ID，通常会更安全，因为这可以随时撤消令牌(通过删除令牌)从数据库中删除或将其标记为无效).

It is generally more secure if a token is an ID that is validated against a database, as this allows the token to be revoked at any time (by removing it from the database or marking it as invalid).

诸如JWT之类的自验证令牌无法撤消(不使用数据库，这会抵消使用自验证令牌的大多数好处)-它们只能过期.因此，它们应该具有较短的到期时间.自验证令牌的好处不仅在于性能，还在于消除了依赖性，因为资源服务器不需要连接到授权服务器拥有的数据库.取而代之的是，它可以使用受信任的公钥简单地自行验证令牌.

Self-validating tokens, such as JWTs, cannot be revoked (without using a database, which defeats most of the benefits of using self-validating tokens) - they can only expire. Therefore, they should have a short expiry time. The benefit of self-validating tokens is not only performance, but also eliminating dependencies, as the resource server does not need to connect to a database owned by the authorization server. Instead it can simply validate the tokens by itself, using a trusted public key.

使用数据库也更容易实现，因为大多数Web应用程序已经拥有一个数据库，并且自验证令牌很容易出错(那里有许多JWT库存在缺陷或错误的默认设置).

Using a database is also easier to implement, as most web apps already have one anyway, and self-validating tokens are easy to do wrong (there are many JWT libraries out there that have flaws or bad defaults).

刷新令牌仅用于请求新的访问令牌，因此性能并不重要.该请求将发送到拥有"与授权相关的任何数据库的授权服务器，因此它不会添加任何不需要的依赖项.

The refresh token is only used to request a new access token, so performance is not important. The request is sent to the authorization server, which "owns" any authorization-related database(s), so it does not add any unwanted dependencies.

请注意，访问令牌不必是自验证令牌.如果它们也只是针对数据库验证的ID，那就很好了.访问令牌和刷新令牌之间的分隔仅使使用自验证访问令牌选择实现成为可能.

Note that access tokens do not have to be self-validating tokens. It is perfectly fine if they are also simply IDs validated against a database. The separation between access token and refresh token only makes it possible to choose an implementation using self-validating access tokens.

这篇关于为什么刷新令牌应保存在服务器端?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！