是否应撤销旧的 OAuth 2.0 刷新令牌 [英] Should old OAuth 2.0 refresh tokens be revoked
问题描述
原则上,在密码授予身份验证后发布新的刷新令牌时,是否应撤销任何现有的 OAuth 2.0 刷新令牌(对于给定的客户端/用户组合)?
In principle, should any existing OAuth 2.0 refresh tokens (for a given client/user combination) be revoked when a new refresh token is issued following a password grant authentication?
我在规范中找不到任何具体内容.为后续密码登录重新发出相同的刷新令牌是否合法?
I can't find anything specific in the spec. Would it be legitimate to reissue the same refresh token for subsequent password logins?
推荐答案
OAuth 规范第 6 节 规定:
授权服务器可能会发出一个新的刷新令牌,在这种情况下客户端必须丢弃旧的刷新令牌并将其替换为新的刷新令牌.授权服务器可以撤销旧的向客户端发出新的刷新令牌后刷新令牌.如果一个发出新的刷新令牌,刷新令牌范围必须是与客户端包含的刷新令牌相同请求.
The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
<小时>
因此没有要求您必须发布新的刷新令牌并撤销旧的,但是,出于与 access_tokens 过期的相同原因,发布新令牌是个好主意.受损的 refresh_token 仅在后续刷新之前有效.如果刷新令牌被泄露,这将允许开发者撤销它.
So there is no requirement that you MUST issue a new refresh token and revoke the old one, however, for the same reason that access_tokens expire it would be a good idea to issue new ones. A compromised refresh_token would only be valid until the subsequent refresh. This would allow a developer to revoke the refresh token should it ever be leaked.
这篇关于是否应撤销旧的 OAuth 2.0 刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
