处理 OAuth2 实现的访问令牌和范围的最佳实践? [英] Best practices for handling access tokens and scopes for OAuth2 implementation?

问题描述

假设我们有一个支持读取"和写入"范围的 OAuth2 实现.

Assume we have an OAuth2 implementation that supports "read" and "write" scope.

我检索了一个具有读取"范围的访问令牌f482c829".如果我改变主意，现在想要读+写权限并再次授权读"和写"范围，你会:

I retrieve an access token "f482c829" with "read" scope. If I then change my mind and now want read+write permission and authorize again with "read" and "write" scope do you:

• 更新现有访问令牌的范围并返回相同的令牌f482c829"?
• 如果使用相同的令牌，如果在更新范围之前使用 response_type=code 要求回收访问令牌?(我认为是的)
• 更新现有访问令牌的范围并返回刷新的令牌zf382nL"?
• 创建一个全新的令牌，保留f482c829"及其作用域不变?

如果您每次为每个作用域创建一个新令牌，您最终必须在每个授权和不同权限存储多个访问令牌.我一直在犹豫要不要这样做.

If you create a new token every time per scope, you end up having to store multiple access tokens per authorization and different permissions everywhere. I've been hesitant to implement it that way.

不幸的是，OAuth2 规范(从草案 12 开始)没有解决任何问题.

The OAuth2 spec (as of draft-12) unfortunately does not address any of this.

推荐答案

以facebook为例，资源服务器与授权服务器基本相同.所以他们确实以使用现有令牌"的方式.它允许用户禁用 facebook.com 站点上的每个范围.关于刷新令牌，您不需要建立新的刷新令牌.(当然你可以做到.)现有的刷新令牌也将与所有范围连接.

In facebook's case, resource server is basically same with authorization server. So they do "use existing token" way. And it enable to allow users to disable each scopes on facebook.com site. About refresh token, you don't need to establish new refresh token. (Of course you can do it though.) Existing refresh token will also be connected with all scopes.

在 Google 的情况下(也许 Yahoo! 也是如此)，资源服务器与授权服务器完全不同.许多资源服务器(Docs、Buzz 等)接受访问令牌建立的单一授权服务器.在这种情况下，建立新令牌"的方式似乎更好.

In Google's case (maybe Yahoo! too), resource server is totally different from authorization server. Many resource server (Docs, Buzz etc) accept access tokens established single authorization server. In this case, "establish new token" way seems better.

在 Twitter 的情况下(也许你的情况也是如此)，两者似乎都不错.

In Twitter's case (maybe your case too), both seems OK.

另外，无论如何，当用户撤销客户端访问权限时，您需要撤销客户端的所有令牌.用户撤销的不是令牌"而是客户端".

Plus, in any way, when user revoked client access you need to revoke all tokens for the client. User is not revoking "token" but "client".

由于开发人员应该预先注册 redirect_uri，因此在网站和移动设备上使用相同的客户端凭据似乎都很棘手.所以我建议让开发者在这种情况下使用不同的客户端凭据.

Since developer should pre-register redirect_uri, using same client credentials both on website and on mobile all seems tricky. So I recommend asking developers to use different client credentials in that case.

这篇关于处理 OAuth2 实现的访问令牌和范围的最佳实践?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！