在基于令牌的身份验证中使用 Refesh 令牌是否安全? [英] Using Refesh Token in Token-based Authentication is secured?
问题描述
我正在构建基于令牌的身份验证(Node.js 使用带有 Angular 客户端的 Passport/JWT).
I am building a token based authentication (Node.js using passport/JWT with an angular client).
在用户输入他的凭据后,他会获得一个访问令牌,他在标头内的每个请求中发送该令牌(标头:bearer TOKEN).
After the user enter his credentials he gets an access token, which he sends in every request inside the header (header: bearer TOKEN).
我不想每次访问令牌过期时都提示登录请求(我猜大概是每天),我听说过刷新令牌.刷新令牌永不过期(或很少过期),并且可以无限期更新令牌.当访问令牌即将过期时,客户端可以通过发送刷新令牌来发送更新请求以获取新的访问令牌.
I don't want to prompt a login request everytime his access token expires (about everyday I guess), I've heard about the Refresh Tokens. The refresh token never expires (or rarely expires) and able to renew tokens indefinitely.When the access token is about to expire, the client can send a renew request to get a new access token by sending his refresh token.
我不明白一些事情,我可能会遗漏一些东西:
I don't understand few things, I might be missing something:
长期/永不过期的刷新令牌如何不会破坏短期的安全性访问令牌.
How a long-living/never expiring refresh tokens don't ruin the security of having short-living access tokens.
Cookie 可以被窃取并一直使用到过期.代币寿命很短,因此它们更安全,但是如果我提供一个长期存在的刷新令牌,我就失去了使用令牌的优势.
Cookies can be stole and be used until they expire. Tokens are short living so they more secured, but if I provide a long-living refresh token I lose the advantage of using tokens.
注意:我知道刷新令牌是在初始登录时发送的,因此不能在每个请求中被欺骗,但如果它们在初始请求时被欺骗,它们就很容易受到攻击.
NOTE: I am aware that the refresh tokens are sent at the initial login, so cann't be spoofed in every request, but if they are spoofed at the initial request they are vulnerable.
推荐答案
刷新令牌出现在与访问令牌不同的路径上:访问令牌只出现在资源服务器上,刷新令牌只出现过到授权服务器.访问令牌可以是自包含的,因此它不需要对授权服务器进行昂贵的调用来检查其有效性,但为了减少损失并提高准确性(万一出现问题,它不能被撤销)它是短暂的.刷新令牌是长期存在的,并且在每次调用授权服务器时都会得到验证,因此它可以被撤销.两者的结合使系统安全.
The refresh token is presented on a different path than the access token: the access token is only ever presented to the Resource Server, the refresh token is only ever presented to the Authorization Server. The access token can be self-contained so that it does not need costly calls to the Authorization Server to check its validity, but to mitigate loss and to increase accuracy (it cannot be revoked in case something goes wrong) it is short-lived. The refresh token is long lived and gets validated on each call to the Authorization Server and as such it can be revoked. The combination of the two makes the system secure.
这篇关于在基于令牌的身份验证中使用 Refesh 令牌是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
