如何验证资源服务器的 OAuth 2.0 访问令牌? [英] How to validate an OAuth 2.0 access token for a resource server?

问题描述

当客户端要求资源服务器使用 OAuth 2.0 访问令牌获取受保护的资源时，该服务器如何验证令牌?OAuth 2.0 刷新令牌协议?

When a client asks a resource server to get a protected resource with an OAuth 2.0 access token, how does this server validate the token? The OAuth 2.0 refresh token protocol?

推荐答案

2015 年 11 月更新: 根据下面的 Hans Z. - 这现在确实被定义为 RFC 7662.

Update Nov. 2015: As per Hans Z. below - this is now indeed defined as part of RFC 7662.

原始答案: OAuth 2.0 规范(RFC 6749)没有明确定义资源服务器 (RS) 和授权服务器 (AS) 之间用于访问令牌 (AT) 验证的交互.这实际上取决于 AS 的令牌格式/策略 - 有些令牌是自包含的(例如 JSON Web Tokens) 而其他可能类似于会话 cookie，因为它们只是将服务器端保存的信息引用回 AS.

Original Answer: The OAuth 2.0 spec (RFC 6749) doesn't clearly define the interaction between a Resource Server (RS) and Authorization Server (AS) for access token (AT) validation. It really depends on the AS's token format/strategy - some tokens are self-contained (like JSON Web Tokens) while others may be similar to a session cookie in that they just reference information held server side back at the AS.

在 OAuth 中有一些讨论关于创建 RS 与 AS 通信以进行 AT 验证的标准方式的工作组.我的公司 (Ping Identity) 为我们的商业 OAuth AS (PingFederate) 提出了一种这样的方法: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=lzn1564003025072.html#lzn1564003025072__section_N10578_N1002A_N10001 .它为此使用基于 REST 的交互，这与 OAuth 2.0 非常互补.

There has been some discussion in the OAuth Working Group about creating a standard way for an RS to communicate with the AS for AT validation. My company (Ping Identity) has come up with one such approach for our commercial OAuth AS (PingFederate): https://support.pingidentity.com/s/document-item?bundleId=pingfederate-93&topicId=lzn1564003025072.html#lzn1564003025072__section_N10578_N1002A_N10001. It uses REST based interaction for this that is very complementary to OAuth 2.0.

这篇关于如何验证资源服务器的 OAuth 2.0 访问令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！