OAuth 2.0 令牌对于提供商来说永远是唯一的吗? [英] Is an OAuth 2.0 token forever unique to the provider?

问题描述

当 OAuth 2.0 提供者发出令牌时，该令牌值对提供者来说永远是唯一的吗?或者是否有可能在未来的某个时候，大概是在令牌过期后，另一个可能为不同用户使用的令牌可能会以相同的值发行?在搜索过程中，我发现了很多关于代币到期的信息，但没有详细说明该代币值是否有可能在未来重新使用.

When an OAuth 2.0 provider issues a token, is that token value forever unique to the provider? Or is it possible that sometime in the future, presumably after the token expires, another token, potentially for a different user, could be issued with the same value? In searching I found much information about tokens expiring, but no details about if that token value could potentially be re-used in the future.

推荐答案

核心 OAuth 2 规范中没有任何内容可以保证这一点.如果有可能发生碰撞，它是特定于实现的.您应该从您的 OAuth AS 提供商处了解可能性是什么.但同意 Artem - 如果您试图根据假设只是 API(访问)令牌来唯一标识用户，这听起来很奇怪.

There's nothing in the core OAuth 2 spec that guarantees this. It is implementation specific if there is a chance of collision or not. You should find out from your OAuth AS provider what the likelihood is. But agreed with Artem - this sounds odd if you are trying to uniquely identify users based on what is suppose to be just an API (access) token.

这篇关于OAuth 2.0 令牌对于提供商来说永远是唯一的吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！