为什么 OAuth v2 有访问令牌和刷新令牌? [英] Why Does OAuth v2 Have Both Access and Refresh Tokens?

问题描述

OAuth 2.0 协议草案的第 4.2 节表明授权服务器可以返回 access_token(用于通过资源验证自己)以及 refresh_token，纯粹用于创建一个新的access_token:

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new access_token:

https://www.rfc-editor.org/rfc/rfc6749#第 4.2 节

为什么两者都有?为什么不让 access_token 持续与 refresh_token 一样长并且没有 refresh_token?

Why have both? Why not just make the access_token last as long as the refresh_token and not have a refresh_token?

推荐答案

刷新令牌的想法是，如果访问令牌被破坏，因为它是短暂的，攻击者有一个有限的窗口可以滥用它.

The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.

刷新令牌，如果遭到破坏，将毫无用处，因为攻击者除了刷新令牌之外还需要客户端 ID 和密码才能获得访问令牌.

Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.

话虽如此，因为对授权服务器和资源服务器的每次调用都是通过 SSL 完成的——包括原始客户端 ID 和他们请求访问/刷新令牌时的机密——我不确定关于访问令牌如何比长期存在的刷新令牌和 clientid/secret 组合更可妥协".

Having said that, because every call to both the authorization server and the resource server is done over SSL - including the original client id and secret when they request the access/refresh tokens - I am unsure as to how the access token is any more "compromisable" than the long-lived refresh token and clientid/secret combination.

这当然与您不控制授权和资源服务器的实现不同.

This of course is different to implementations where you don't control both the authorization and resource servers.

这里有一个关于刷新令牌使用的好帖子:OAuth 档案.

Here is a good thread talking about uses of refresh tokens: OAuth Archives.

引自上文，谈论刷新令牌的安全目的:

A quote from the above, talking about the security purposes of the refresh token:

刷新令牌...降低了长期存在的 access_token 泄漏的风险(不安全资源服务器上的日志文件中的查询参数、测试版或编码不佳的资源服务器应用程序、非 https 站点上的 JS SDK 客户端，将cookie 中的 access_token 等)

Refresh tokens... mitigates the risk of a long-lived access_token leaking (query param in a log file on an insecure resource server, beta or poorly coded resource server app, JS SDK client on a non https site that puts the access_token in a cookie, etc)

这篇关于为什么 OAuth v2 有访问令牌和刷新令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！