如何安全地让我的用户使用刷新令牌登录? [英] How to securely keep my users signed in with refresh tokens?
问题描述
来自https://stackoverflow.com/a/7209263/1225328:
刷新令牌的想法是,如果访问令牌被泄露,因为它是短暂的,攻击者有一个有限的窗口滥用它.
The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.
我明白了,但是如果攻击者访问刷新令牌,他们将能够获得新的身份验证令牌,我错了吗?这似乎只是推迟了长期存在的令牌安全漏洞......
I get it, but if the attacker accesses the refresh token, they will be able to get a fresh auth token, am I wrong? This seems to just postpone the long-lived tokens security flaw...
关于这一点,你会在同一个答案中找到:
Concerning this point, you'll find in the same answer:
刷新令牌,如果遭到破坏,将毫无用处,因为攻击者除了刷新令牌之外,还需要客户端 ID 和密码以获得访问令牌.
Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.
那么使用刷新令牌和简单地辞职有什么区别?如果您不希望用户再次输入它们,您如何存储客户端 ID 和密码?
Then what's the difference between using a refresh token and simply resigning in? And how do you store the client id and secret if you don't want users to have to reenter them again?
正如 @FStephenQ 指出的那样,刷新令牌只能使用一次:攻击者将能够获得一个新的身份验证令牌,但只有一次,而且是短暂的.但是,一旦你已经使用了一个新的刷新令牌,你如何获得一个新的刷新令牌?如果您在使用令牌时获得了一个新令牌,那么攻击者也将能够刷新他们的令牌......
As @FStephenQ pointed out, a refresh token can be used only once: an attacker will then be able to get a new auth token, but only once, and a short-lived one. But then, how do you obtain a new refresh token once you already used one? If you get a new one when you use one, an attacker will then be able to refresh their token too...
实际问题是:如何让我的用户保持登录状态?在我使用的应用上,一旦我登录,我就不必再次登录:它们是如何进行的?
The actual question is: how to keep my users signed in? On the apps I use, once I signed in, I never have to sign in again: how do they proceed?
推荐答案
刷新令牌只能用于刷新一次,并且只有在客户端的访问令牌过期时才会发送到身份验证服务器.使用刷新令牌时,身份验证服务器会返回一个新的身份验证令牌,并且可以选择返回一个新的刷新令牌.这个想法是允许使用短期访问令牌,同时允许有效客户端重新进行身份验证而不强制用户再次登录.
A refresh token can only be used to refresh once, and it is only sent to the authentication server when the client's access token has expired. When a refresh token is used, the authentication server returns a new authentication token, and optionally a new refresh token. The idea is to allow using short-lived access tokens, while allowing a valid client to re-authenticate without forcing the user to login again.
如果刷新令牌被盗,攻击者可以使用它一次以获取有效的访问令牌.当客户端尝试刷新他们的令牌时,他们的刷新令牌将是陈旧的,因此将被拒绝.然后他们会要求用户重新登录,认证服务器会给他们一个新的访问令牌和刷新令牌,被盗的令牌将失效.
If a refresh token is stolen, then it can be used once to get a valid access token by the attacker. When the client tries to refresh their token, their refresh token will be stale, and so will be rejected. They will then ask the user to login again, and the authentication server will give them a new access token and refresh token, and the stolen token will be invalidated.
这篇关于如何安全地让我的用户使用刷新令牌登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
