如何撤销RefreshToken并在OAuth2用户同时失效的accessToken [英] How to revoke the RefreshToken and invalidate the AccessToken at the same time in Oauth2
问题描述
我正在开发一个单页的应用程序的认证流程(AngularJS +净MVC Json的REST API)使用Owin的OAuth2(授权和资源服务器是一样的)。
I'm developing the authentication flow of a single page application (AngularJS + .Net MVC Json Rest API) using Owin Oauth2 (Authorization and Resource servers are the same).
我选择了传统的饼干+会话承载令牌的路线,因为我想留无状态的,也因为相同的API将通过移动应用其中token比cookie的问题较少被使用。
I've chosen the Bearer Token route over the traditional cookie+session because I would like to stay stateless and also because the same Api will be used by a mobile app where token has less problem than the cookie.
这是简化的流程:
- 用户提交的用户名/密码到服务器(POST通过HTTPS的
TokenProvider路线) - Owin创建一个
的accessToken
含索赔
生成的GUID(将重新presents像一个会话ID)和一些其他诉讼请求。 - Owin创建
RefreshToken
。 - 服务器会在
RefreshToken
表具有以下字段的条目:
- User submits Username/Password to the server (POST over Https to the TokenProvider route)
- Owin creates an
AccessToken
with a claim containing a generated GUID (that will represents something like a Session Id) and some other claims. - Owin creates a
RefreshToken
. - Server creates an entry in the
RefreshToken
table with the following fields:
GUID(PK)| RefreshToken |订票| DateIssued | DateExpire | DateEnd
GUID(PK)|RefreshToken|Ticket|DateIssued|DateExpire|DateEnd
-
服务器提供了两个
的accessToken
和RefreshToken
客户端。
客户端同时存储在的accessToken
和 RefreshToken
进入的sessionStorage。
Client stores both the AccessToken
and RefreshToken
into the SessionStorage.
客户端访问与的accessToken
。
在AngularJS检测到的accessToken接近到期时,它缓冲所有请求,并发出 grant_type refresh_token要求
;结果
服务器使用 RefreshToken
由客户提供和:
When AngularJS detects that the AccessToken is near to expire, it buffers all the requests and issues a grant_type refresh_token request
;
server uses the RefreshToken
provided by the client and:
- 检查是否刷新令牌还是从数据库有效(
DateExpire> GETTIME()和DateEnd是空
) - 注意到从数据库门票
- 创建门票的的accessToken
- 更新与鲜枣分贝项,新的
RefreshToken
和新的票(注:GUID保持不变)
- Checks if the Refresh Token is still valid from Db (
DateExpire > GetTime() And DateEnd is Null
) - Takes the Ticket from Db
- Creates an AccessToken from Ticket
- Updates the db entry with the fresh Dates, the new
RefreshToken
and the new Ticket (Note: the GUID remains the same)
当客户端击中注销服务器端,该GUID从登录用户的身份,如权利要求读用于无效的表( DateEnd = GETTIME()
)。结果
客户端两种令牌从删除的sessionStorage
。
When the client hits the logout server side, the GUID read from the identity claim of the logged user is used to invalidate the entry on the table (DateEnd = GetTime()
).
Client side both tokens are removed from the SessionStorage
.
在这种方式,我可以撤销 RefreshToken
拒绝任何其他请求获得一个新的的accessToken
。
In this way, I can revoke the RefreshToken
denying any other requests to get a fresh AccessToken
.
这种方法的问题是,有一个时间窗口时授权被撤销(即: RefreshToken
无效的DB),但的accessToken
仍然有效(虽然为在有限的时间帧)。
The problem with this approach is that, there is a window of time when the authorization is revoked (ie: RefreshToken
invalidated on DB) but the AccessToken
is still valid (although for a limited frame of time).
我在想什么做的是检查每个请求的的accessToken
的有效性,从用户的身份索赔采取GUID和击中DB检查具体GUID的刷新令牌仍然有效。
What I'm thinking to do is to check the validity of the AccessToken
on each request, taking the GUID from the user identity claims and hitting the db to check if the Refresh Token of that specific GUID is still valid.
虽然这是相当微不足道的,使执行ö查询(1)中,故障本身的单点可对系统的可扩展性和性能的负面影响。
Although it's quite trivial to make queries performing O(1), the single point of failure itself can have negative impact on the scalability and performance of the system.
你知道另一种方法来缓解这个问题,你看我的做法任何瑕疵?
Do you know another method to mitigate this problem and do you see any flaws in my approach?
推荐答案
有什么不对你的做法,这是我所<一的办法非常吻合href=\"http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/\">blogged有关较早,但我的建议是不要当您发送的访问令牌做任何DB检查。
There is nothing wrong with your approach and it is very identical to the approach I've blogged about earlier, but my recommendation is not to do any DB checks when you send the access token.
为什么你不发出短暂的访问令牌即(30分钟)和你等到访问令牌续航时间到期后撤销刷新令牌。和客户端您可以从客户端本地存储器清除刷新令牌和访问令牌。
Why you do not issue short lived access tokens i.e (30 mins) and you wait until the access token life time is expired after revoke the refresh token. And on the client you can clear the refresh token and access token from your client local storage.
这篇关于如何撤销RefreshToken并在OAuth2用户同时失效的accessToken的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!