Android/IOS Secret 过期管理与客户端凭据流 [英] Android/IOS Secret expiration management with client credentials flow

问题描述

我想知道是否有任何策略来管理移动设备中的机密过期.

I'd like to know if there is any strategy for managing secret expiration in mobile devices.

在授权服务器允许移动客户端使用资源所有者密码流和客户端凭据对他进行授权的情况下，客户端机密具有到期时间.

In a scenario where an authorization server allows a mobile client to authorize against him using a resource owner password flow in combination with client credentials, with the client secrets having an expiration time.

我已经看到至少有一些方法可以在 Android 应用上安全地存储机密，但是，您如何在不发布应用的新版本的情况下管理机密过期?

I've seen there are ways to safely store secrets on Android apps at least, but, how do you manage the secret expiration without publishing a new version of the app?

推荐答案

这是我们在我们的应用程序中按照 OAuth 刷新令牌标准.

This is how we have done in our App following OAuth Refresh Token Standards.

第 1 步:您的 API 应发送标准的身份验证令牌响应，如这里

Step 1: Your API should be sending a standard Auth Token Response as stated here

 HTTP/1.1 200 OK
 Content-Type: application/json;charset=UTF-8
 Cache-Control: no-store
 Pragma: no-cache

 {
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
 }

第 2 步:将该响应保存在共享首选项/本地缓存/本地数据库中，我们使用了共享首选项(假设 accountToken 是从 Auth Token 响应创建的类的对象)

Step 2: Save that response in Shared Preferences/Local Cache/Local Database, we used Shared Preferences (assuming accountToken is Object of class created from Response of Auth Token)

SharedPreferences.Editor editor = getContext().getSharedPreferences("AUTH_PREFS_NAME", Context.MODE_PRIVATE).edit();
editor.putString("AUTH_ACCESS_TOKEN_KEY", accountToken.getAccess_token());
editor.putString("AUTH_REFRESH_TOKEN_KEY", accountToken.getRefresh_token());
editor.putLong("AUTH_EXPIRES_IN_KEY", accountToken.getExpires_in());
editor.putLong("AUTH_TIME_SAVED_KEY", ((int) (System.currentTimeMillis() / 1000)));
editor.commit();

第 3 步:每次必须使用保存的访问令牌时，请确保它没有过期

Step 3: Each time you have to use saved Access Token, make sure it is not expired

public boolean needsTokenRefresh(String accessToken) {
    if (accessToken == null || accessToken.length() == 0) {
        // no access token to refresh. Don't refresh.
        return false;
    }

    SharedPreferences pref = mContext.getSharedPreferences("AUTH_PREFS_NAME", Context.MODE_PRIVATE);
    String refreshToken = pref.getString("AUTH_REFRESH_TOKEN_KEY", null);
    if (refreshToken == null || refreshToken.length() == 0) {
        // no refresh token. Can't refresh.
        return false;
    }

    Integer timeSaved = pref.getInt("AUTH_TIME_SAVED_KEY", 0);
    if (timeSaved == 0) {
        // No recording of having saved the token. Don't refresh.
        return false;
    }

    long expiresIn = pref.getLong("AUTH_EXPIRES_IN_KEY", 0);
    int now = (int) (System.currentTimeMillis() / 1000);
    int timePassed = Math.abs(now - timeSaved);
    boolean expired = false;
    if (expiresIn <= timePassed) {
        expired = true;
    }
    return expired;
}

如果 needsTokenRefresh() 返回 false，则使用保存的 Auth Token.如果它返回 true 则转到下一步.

If needsTokenRefresh() returns false then use the saved Auth Token. If it returns true then go to next step.

第 4 步:使用 grant_type 设置为 refresh_token 为 标准中规定

Step 4: Make Auth call again with grant_type set as refresh_token as stated in standards

第 5 步:身份验证调用应返回第 1 步中所述的标准身份验证响应，并刷新令牌和新的 refresh_token

Step 5: Auth call should return Standard Auth Response as described in Step 1 with token refreshed and new refresh_token

这篇关于Android/IOS Secret 过期管理与客户端凭据流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！