我是否应该明确发送刷新令牌以获取新的访问令牌 - JWT [英] Should I explicitly send the Refresh Token to get a new Access Token - JWT

查看:33
本文介绍了我是否应该明确发送刷新令牌以获取新的访问令牌 - JWT的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在我的应用程序中,当用户成功登录时,我会返回一个访问令牌和一个刷新令牌.访问和刷新令牌的过期时间分别设置为 10 和 40 分钟.(我应该对这些值做更多的研究.这只是为了测试)

In my application, I return an access token and a refresh token when a user logs in successfully. The expiration times for access and refresh token have been set to 10 and 40 minutes respectively. (I should do some more research on those values. This is just for testing)

我使用了以下文章中描述的实现

I used the implementation described in following article

http://www.svlada.com/jwt-token-authentication-with-spring-boot/

假设我在登录 10 分钟后调用了对服务器的请求.由于访问令牌已过期,我收到了 401 错误响应.

Let's say I invoke a request to the server after 10 minutes of the login in. Since the access token is expired, I am getting 401 error response.

但是,作为初学者,我很难理解是否需要明确发送刷新令牌才能获得新的访问令牌.如果我应该这样做,该怎么做?我应该将刷新令牌作为什么发送?标题?

However, as a beginner, I find it difficult to understand whether I need to send the refresh token explicitly in order to obtain a new access token. If I should do so, how to do that? I should send the refresh token as what? a header?

或者,当我的请求因为访问令牌过期而被服务器拒绝时,刷新令牌本身是否应该自动向服务器发送请求以获取新的访问令牌?

Or else, when my request is rejected by the server since the access token is expired, should the refresh token itself send a request automatically to the server in order to obtain a new access token?

我发现很难从我在网上找到的资源中理解刷新令牌行为的性质.请就这些问题向我澄清.

I found it hard to understand the nature of the behavior of refresh token from the resources I found on the net. Kindly clarify me on these questions.

推荐答案

是的,刷新令牌用于获取新的访问令牌.

Yes, the refresh token is used to obtain a new access token.

当您第一次请求访问令牌时,您通常首先向令牌端点发送令牌请求,以防所谓的Resource Owner Password Credentials Grant 在请求头,例如

When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant with user credentials in the request header, e.g.

grant_type=password&username=user1&passowrd=very_secret

当访问令牌过期时,您必须请求一个新的访问令牌.这一次,使用仍然有效的刷新令牌,您不再需要用户凭据而是发送

when the access token is expired, you have to request a new access token. This time, with a refresh token which is still valid, you don't need the user credentials again but send

grant_type=refresh_token&refresh_token=<your refresh token>

相反.这样您就不需要在客户端存储用户凭据,也不需要再次使用登录过程来打扰用户.如您所知,您还可以实现一种机制,在 access_token 过期之前刷新您的令牌.

instead. This way you don't need to store the user credential on client side and don't need to bother the user again with a login procedure. As you know the expiry time, you can also implement a mechanism to refresh your token before the access_token is expired.

此外,您可以阅读本文以获取有关该主题的更多信息:https://auth0.com/learn/刷新令牌/

Additionally you can read this for further information about the topic: https://auth0.com/learn/refresh-tokens/

下面的教程也是postman使用refresh token的截图:http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/(向下滚动到第 6 步)一般来说,我可以推荐阅读Taiseer Joudeh 的教程,尤其是.适用于 C#、ASP.NET 和 Angular 程序员.

In the following tutorial is also a screenshot of how to use refresh token in postman: http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ (scroll down to step 6) Generally I can recommend reading Taiseer Joudeh's tutorial, esp. for C#, ASP.NET uand Angular programmers.

这篇关于我是否应该明确发送刷新令牌以获取新的访问令牌 - JWT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆