刷新令牌有什么意义? [英] what's the point of refresh token?
问题描述
我不得不承认我有这个问题很长时间了,从来没有真正理解过.
i have to confess i've had this question for a very long time, never really understand.
说身份验证令牌就像保险箱的钥匙,当它到期时就不再可用了.现在我们得到了一个神奇的刷新令牌,它可以用来获取另一个可用的密钥,以及另一个......直到魔法密钥过期.那么为什么不将 auth 令牌的到期时间设置为与刷新令牌相同?为什么要打扰?
say auth token is like a key to a safe, when it expires it's not usable anymore. now we're given a magic refresh token, which can be used to get another usable key, and another... until the magic key expires. so why not just set the expiration of the auth token as the same as refresh token? why bother at all?
它的正当理由是什么,也许是历史原因?真的很想知道.谢谢
what's the valid reason for it, maybe a historical one? really want to know. thanks
推荐答案
引用的答案(通过@Anders)很有帮助,它指出:
The referenced answer (via @Anders) is helpful, It states:
在妥协的情况下,它的有效时间窗口是有限的,但是令牌通过 SSL 使用,因此不太可能受到损害.
In case of compromise, the time window it's valid for is limited, but the tokens are used over SSL, so unlikely to be compromised.
我认为重要的部分是访问令牌经常会被记录(特别是当用作查询参数时,这对 JSONP 很有帮助),因此最好是它们是短暂的.
I think the important part is that access tokens will often get logged (especially when used as a query parameter, which is helpful for JSONP), so it's best for them to be short-lived.
还有一些其他原因,即服务提供商大规模实施 OAuth 2.0:
There are a few additional reasons, with large-scale implementations of OAuth 2.0 by service providers:
API 服务器可以安全地验证访问令牌,无需数据库查找或 RPC 调用,前提是无需担心撤销.这可以带来强大的性能优势并降低 API 服务器的复杂性.如果您可以接受 30m-60m(或任何访问令牌的长度)的令牌撤销,则最好.当然,API 服务器也可以在内存中保存最近一小时撤销的令牌列表.
API servers can securely validate access tokens without DB lookups or RPC calls if it's okay to not worry about revocation. This can have strong performance benefits and lessen complexity for the API servers. Best if you're okay with a token revocation taking 30m-60m (or whatever the length of the access token is). Of course, the API servers could also keep an in-memory list of tokens revoked in the last hour too.
由于令牌可以有多个范围来访问多个不同的 API 服务,因此拥有短期访问令牌可以防止 API 服务的开发人员终身访问 API 服务 B 上的用户数据.安全.
Since tokens can have multiple scopes with access to multiple different API services, having short-lived access tokens prevents a developer of API service for getting a lifelong access to a user's data on API service B. Compartmentalization is good for security.
这篇关于刷新令牌有什么意义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
