OAuth2 - 刷新令牌不必要的复杂性 [英] OAuth2 - unnecessary complexity with refresh token

问题描述

我不太明白，如果端点是 RFC6749.

I do not clearly understand, why there is a refresh/access token concept in oauth2 if the endpoint is the same (authorization) server as depicted many times in RFC6749.

资源所有者在不共享凭据的情况下授权任何第三方组件时的第一个授权步骤是 oauth2 的基本思想.恕我直言，使用授权令牌生成访问和刷新令牌只是另一个级别的授权间接，但不会增加安全性.

The first authorization step when the resource owner authorizes any third party component without sharing credentials, is the essential idea of oauth2. Using an authorization token to generate an access and refresh token is only another level of authorization indirection imho, but no increase in security.

由于授权服务器相同，访问令牌与授权令牌和刷新令牌一样敏感，因此我称之为不必要的复杂性.

Since the authorization server is the same, the access token is as sensitive as the authorization token and refresh token, thus I would call it unnecessary complexity.

对我来说唯一有意义的解释是，如果有人窃取了访问令牌，客户端能够请求新的访问令牌.但是有人是如何炼制它的呢?如果是中间人，那么他也有刷新令牌，当客户端请求一个新令牌时.

The only explanation making sense for me is, if someone stole the access token the client is able to request a new access token. But how did someone steel it? If it is a man in the middle, then he also has the refresh token, when client requests a new one.

我的问题是:为什么授权服务器不只返回一个可以被客户端和资源所有者撤销的访问令牌?刷新/访问令牌策略有什么好处?

My question is: why does the authorization server not just return an access token which can be revoked by client and resource owner? What is the benefit of refresh/access token strategy?

感谢您的解释.

推荐答案

刷新令牌试图解决服务器负载的细粒度访问检查.当资源所有者在调用之间缓存访问令牌以便它可以授权后续调用而无需转到授权服务器时，就会减少服务器负载.这大大减少了 authz 服务器上的负载.但这引入了一个问题，即令牌权限的更改，特别是令牌可用于用途的减少，资源所有者在缓存访问令牌时永远不会看到.

The refresh token is an attempt to resolve fine-grain access checks with the server load. Reducing server load occurs when a resource owner caches the access token between calls so that it can authorize subsequent calls without going to the authorization server. This dramatically reduces load on the authz server. But this introduces a problem in that changes in the token's permissions, specifically reductions in what the token can be used for, are never seen by the resource owner as it's caching the access token.

现在，一个行为良好的资源所有者会知道它应该只缓存令牌一小段时间，然后再与授权服务器重新确认.但是您不能指望资源所有者表现良好.因此，授权服务器会在访问令牌上设置一个相对较短的到期时间.这会强制客户端使用刷新令牌来获取新的访问令牌.然后资源所有者将验证新的访问令牌并获得该令牌的当前权限.

Now a well-behaved resource owner would know that it should only hold cache the token for a short while before reconfirming it with the authorization server. But you can't rely on resource owners being well behaved. So, the authorization server puts a relatively short expiration on the access token. This forces the client to use the refresh token to get a new access token. Then the resource owner will validate the new access token and get the current rights for the token.

需要注意的是，刷新访问令牌无需用户交互.如果重新验证对于用户交互模型不是问题，则不需要刷新令牌，用户只需重新验证即可.但这会很糟糕.

It is important to note that refreshing the access token happens without user interaction. If reauthentication was not a problem for the user interaction model, the refresh token wouldn't be needed and the user could just reauthenticate. But that would kind of suck.

这意味着，如果用户要从其 OAuth 帐户中删除权限，资源所有者将继续使用旧权限集运行，直到访问令牌过期.然后将获得新的访问令牌，新的权限集将生效.

This means that if the user were to remove permissions from their OAuth account, resource owners will continue to function with the old permission set until the access token expires. The new access token will then be obtained and the new permission set will take effect.

这篇关于OAuth2 - 刷新令牌不必要的复杂性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！