为什么不能窃取访问令牌? [英] why isn't it possible to steal an access token?
问题描述
我正在学习 OAuth,但我有一个问题,我找不到答案..
I'm learning OAuth and I have a question in head I can't find an anwser..
我了解请求令牌以授权或不授权应用程序使用 API.但是一旦用户获得了访问令牌,如果有人窃取了他的访问令牌会怎样?
I understood request token to authorize or not an application to use the API. But once the user got an access token, what happens if someone steal his access token?
想象一下,我们有类似 http://www.example.com/api/article/1?access_token=******access_token******
Imagine that we have something like http://www.example.com/api/article/1?access_token=******access_token******
如果我将此 url 提供给另一个用户,另一个用户将拥有我的访问权限,因此 API 不再受到保护?
If I give this url to another user, the other would have my access and so the API isn't protected anymore?
推荐答案
简短回答:是的,对于 OAuth2 - 任何拥有有效 access_token 的人都可以访问由该令牌指定的资源.多长时间取决于 OAuth2 提供程序的实现.
Short answer: Yes, for OAuth2 - whoever has a valid access_token would have access to resources designated by that token. For how long depends on OAuth2 the implementation of provider.
关于 OAuth1 和 2 的长答案:
Long answer, about both OAuth1 and 2:
当谈到 OAuth 1 访问令牌是不够的.您还需要访问令牌秘密以及消费者密钥和秘密.保持访问令牌的机密性并限制其范围和有效时间仍然很好,但是您不能在没有客户端和令牌秘密的情况下使用访问令牌.OAuth 1 不要求您使用 SSL,因为加密已内置于规范中.
When it comes to OAuth 1 an access token is not enough. You would also need the access token secret and also consumer key and secret. It is still good to keep the access tokens confidential, and to limit their scope and time of validity but you cannot use the access token without client and token secrets. OAuth 1 doesn't require that you use SSL, because cryptography is built right into the specification.
OAuth 2 不同 - 可以说对访问令牌保密更为重要.因此,API 提供者应确保访问令牌(在 OAuth2 中也称为不记名令牌)仅在尽可能短的时间内有效.这些令牌的作用类似于密码,如果被拦截,攻击者可以立即使用.因此,OAuth2(带有不记名令牌)规范要求所有通信都通过 SSL 进行——因为规范中没有内置加密技术.通常,访问令牌的有效期较短,可以使用有效期更长的刷新令牌"刷新,但仅在消费者收到初始不记名令牌以及不记名令牌刷新时才转移.
OAuth 2 is different - it is arguably more important that access tokens are kept confidential. Therefore the API provider should ensure that access tokens, which in OAuth2 are also known as Bearer tokens, are valid only for as short time as possible. These tokens work like passwords, and if intercepted can be used immediately by an attacker. Therefore the OAuth2 (with bearer token) specification requires that all communication takes place over SSL - since no cryptography is built into the specification. Typically access tokens have a short validity, which can be refreshed with a "refresh token" which has longer validity but is only transfered when the initial bearer token is received by the consumer, and when a bearer token is refreshed.
这篇关于为什么不能窃取访问令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
