“刷新令牌"的目的是什么? [英] What is the purpose of a "Refresh Token"?

查看:37
本文介绍了“刷新令牌"的目的是什么?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个与 YouTube Live Streaming API 集成的程序.它在计时器上运行,因此对我来说相对容易编程以使用刷新令牌每 50 分钟获取一个新的访问令牌.我的问题是,为什么?

I have a program that integrates with the YouTube Live Streaming API. It runs on timers, so its been relatively easy for me to program in to fetch a new Access Token every 50 minutes with a Refresh Token. My question is, why?

当我通过 YouTube 进行身份验证时,它给了我一个刷新令牌.然后我使用这个刷新令牌大约每小时一次获取一个新的访问令牌.如果我有刷新令牌,我总是可以使用它来获取新的访问令牌,因为它永远不会过期.所以我不认为这比从一开始就给我一个访问令牌而不用打扰整个刷新令牌系统更安全.

When I authenticated with YouTube, it gave me a Refresh Token. I then use this refresh token to get a new Access Token about once an hour. If I have the Refresh Token, I can ALWAYS use this to get a new Access Token, since it never expires. So I don't see how this is any more secure than just giving me an Access Token from the start and not bothering with the whole Refresh Token system.

推荐答案

基本上,刷新令牌用于获取新的访问令牌.

Basically, refresh tokens are used to get new access token.

为了清楚地区分这两个令牌并避免混淆,以下是 OAuth 2.0 授权框架:

To clearly differentiate these two tokens and avoid getting mixed up, here are their functions given in The OAuth 2.0 Authorization Framework:

  • 访问令牌由授权服务器在资源所有者的批准下颁发给第三方客户端.客户端使用访问令牌访问由资源服务器托管的受保护资源.
  • 刷新令牌是用于获取访问令牌的凭据.刷新令牌由授权服务器颁发给客户端,用于在当前访问令牌失效或过期时获取新的访问令牌,或者获取具有相同或更窄范围的其他访问令牌.
  • Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.
  • Refresh Tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope.

现在,回答您的问题,为什么您仍然会收到刷新令牌,而不仅仅是保护访问令牌,这是 Internet 工程任务组在 刷新令牌 是:

Now, to answer your question on why you were still being issued a refresh token instead of just securing an access token, the main reason provided by Internet Engineering Task Force in Refresh tokens is:

出于安全原因,refresh_token 只与授权服务器交换,而 access_token 与资源服务器交换.这降低了长期访问令牌在一个小时有效的访问令牌,具有一年或撤销前有效的刷新令牌"中泄漏的风险.与在没有刷新令牌的情况下撤销前有效的访问令牌."

There is a security reason, the refresh_token is only ever exchanged with authorization server whereas the access_token is exchanged with resource servers. This mitigates the risk of a long-lived access_token leaking in the "an access token good for an hour, with a refresh token good for a year or good-till-revoked" vs "an access token good-till-revoked without a refresh token."

有关 OAuth 2.0 Flow 的更详细和完整的信息,请尝试阅读以下参考资料:

For a more detailed and complete information of OAuth 2.0 Flow, please try going through the following references:

这篇关于“刷新令牌"的目的是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆