存储位置 - OAuth 2.0 中的访问令牌和刷新令牌 [英] where to store - access token and refresh token in OAuth 2.0

问题描述

我是 OAuth 2.0 的新手，我想知道在通用电子商务网站中存储访问令牌和刷新令牌的最佳做法/位置是什么.

I am new to OAuth 2.0 and I wish to know what is the best practice / location to store access token and refresh token in generic e-commerce web site.

问题 1:
访问令牌和刷新令牌应该存储在网站中的什么位置?(cookies、网络存储或本地存储).谷歌、Dropbox 等大公司在哪里存储访问令牌和刷新令牌?

Question 1:
Where should access token and refresh token be stored in web sites? (cookies, web storage or local storage). And where big companies like google, dropbox store the access token and refresh token?

问题 2:
如果刷新令牌存储在客户端(在台式机/笔记本电脑中使用浏览器)，是否有人在该设备上获得了物理收益，能够获取刷新令牌和设备信息并使用它在其他地方生成访问令牌?

Question 2:
If refresh token is stored on the client side (taking browser in desktop/laptop), isn't it possible that someone has physical gain on that device able to get the refresh token and device information and use it to generate access token on other place?

问题 3:
我看到一些帖子建议客户端永远不应该存储和知道刷新令牌.那么，refresh token应该存放在哪里，这种情况下如何重新认证?

Question 3:
I have see some post that suggest that refresh token should never be stored and known by client side. Then, where should refresh token be stored and how to reauthenticate in this case?

推荐答案

A1:访问令牌比刷新令牌的生存时间短得多，您可以将刷新令牌存储在本地存储或服务器端的其他安全存储中;对于访问令牌，网络存储和本地存储都可以；将访问令牌存储在 cookie 中没有多大意义

A1: access token has a much shorter time-to-live than refresh token, you may store refresh token in local storage or even other secure storage on server side; for access token, both web storage and local storage are fine; storing access token in cookie does not make much sense

A2:是的，因此刷新令牌不应存储在客户端；

A2: yes, hence refresh token should not be stored on client side;

A3:存储在服务器/服务端

A3: stored it on server/service side

这篇关于存储位置 - OAuth 2.0 中的访问令牌和刷新令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！