OAuth2 刷新令牌.如何在客户端存储它 [英] OAuth2 Refresh Token. How to store it on client-side

问题描述

有授权OAuth2服务器来获取访问+刷新令牌.据我了解，访问令牌可以存储在客户端，因为它的直播圈很短.但是刷新令牌可以存储在那里吗?根据我阅读的信息，没有安全的方法可以做到这一点(此处)

There is Authorization OAuth2 Server to get access+refresh token. As far as i understand, access token can be stored on client-side, because it has short live circle. But can refresh token be stored there? According information that I've read, there is no secure way to do it(here)

所以，我必须实现单独的服务器端服务，只是为了存储刷新令牌.

So, I have to implement separate server-side service, just to store refresh token.

我说得对吗?是否只有一种可能的方式来存储刷新令牌?

Am I right? Is it only one possible way to store refresh token?

附言客户端:angularJS

P.S. Client-side: angularJS

推荐答案

是的，你说得对.如果您无法通过授权服务器进行身份验证(即传递客户端 ID 和机密)，那么您将只能获得一个短期访问令牌.

Yes you are right. If you cannot authenticate with the Authorisation server (i.e. pass client ID and secret) then you will only get a short-lived access token.

由于 Angular 代码在客户端上，因此保存您的客户端机密是不安全的.因此，您无法将您的客户端密钥传递给 Auth 服务器，因此您无法进行身份验证.

As Angular code is on the client it would be insecure for it to hold your client secret. Therefore you can not pass your client secret to the Auth server, so you can not authenticate.

此外，您的服务器代码不仅会存储令牌，还应该托管一个端点，该端点将接受身份验证代码，然后使用该代码(和您的客户端凭据)调用身份验证服务器以获取令牌和刷新令牌.

Also your server code would not just store a token, it would be expected to host an endpoint which would accept an auth code and then call the Auth server with that code (and your client credentials) to get a token and refresh token.

在用户成功登录和用户授予对您的应用程序的访问权限后，身份验证代码将通过来自身份验证服务器的调用通过 http 重定向提供给您的服务器端点.

The auth code would be supplied to your server endpoint via a call from the auth server via an http redirect following successful user login and user granting access to your app.

这篇关于OAuth2 刷新令牌.如何在客户端存储它的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！