OpenID Connect 中 ID 令牌到期时间的意图是什么? [英] What is intent of ID Token expiry time in OpenID Connect?
问题描述
在 OpenID Connect 中,访问令牌有一个到期时间.对于授权代码流,这通常很短(例如 20 分钟),之后您可以使用刷新令牌请求新的访问令牌.
In OpenID Connect an access token has an expiry time. For authorization code flow, this is typically short (eg 20 minutes) after which you use the refresh token to request a new access token.
ID 令牌也有到期时间.我的问题是这样做的目的是什么?
The ID token also has an expiry time. My question is what is the intent of this?
任何小于刷新令牌到期时间的 ID 令牌到期时间都意味着您最终将拥有一个过期的 ID 令牌,但一个有效的访问令牌.
Any ID token expiry time less than the expiry time of the refresh token will mean you will eventually have an expired ID token, but a valid access token.
你是不是想:
- 为您的 ID 令牌设置一个比刷新令牌到期时间更长的时间,或者
- 将其设置为与访问令牌相同的到期时间,并在到期时采取一些措施(什么?),或者
- 仅在收到时使用客户端中的 ID 令牌,然后忽略此后的到期时间?
OpenID Connect 规范 只是在验证时说一个 ID 令牌,
The OpenID Connect specification just says that when validating an ID token,
"The current time MUST be before the time represented by the exp Claim."
其中(可能)支持上面的第三个选项.
which (possibly) supports the third option above.
编辑
由于 OpenID Connect 基于 OAuth2 构建,因此可以在 OAuth2 规范 说,
As OpenID Connect builds on OAuth2 the answer to the supplementary question below can be found in the OAuth2 specification which says,
expires_in
RECOMMENDED. The lifetime in seconds of the access token.
一个相关的问题是,当您为令牌交换授权码时,同一规范表示您可能会得到如下响应:
A related question is when you exchange an authorization code for the tokens, the same specification says you might get a response such as:
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJhbG[...]"
}
但是什么是expires_in"呢?在这种情况下与什么有关?访问令牌、刷新令牌还是 ID 令牌?
But what does "expires_in" relate to in this case? The access token, the refresh token or the ID token?
(有关信息,IdentityServer3 将此设置为访问令牌到期时间).
(For information, IdentityServer3 sets this to the access token expiry time).
推荐答案
我正在回答我自己的问题,因为我发现我的问题背后的一些假设是错误的,所以在这里更容易澄清,而不是重新编写问题.
I'm answering my own question as have discovered that some of the assumptions behind my question were wrong, so easier to clarify here, rather than re-write the question.
ID 令牌用于向客户证明用户已通过身份验证,以及他们是谁.
An ID token is meant for proving to a Client that the user has authenticated, and who they are as a result.
当客户端收到 ID 令牌时,它通常会执行一些操作,例如将其转换为 ClaimsIdentity,并将其保留下来,例如使用 cookie.
When a Client receives an ID token, it will generally do something like convert it to a ClaimsIdentity, and persist this, eg using a cookie.
ID 令牌在使用时必须未过期(应该是这样,因为它刚刚发布).但是在此之后它不会再被使用,所以它是否过期无关紧要,而用户仍然有一个活动会话.客户端拥有它需要的身份验证信息,然后可以选择自己的策略,在用户必须再次登录之前会话持续多长时间.
The ID token has to be un-expired at this point of use (which it should be, since it has just been issued). But after this it is not used again, so it does not matter if it expires while the user still has an active session. The Client has the authentication information it needs, and in turn can choose its own policy for how long the session lasts before the user has to log in again.
我在提问时的错误假设是 ID 令牌和访问令牌应该一起使用,因此两者都需要有有效的到期日期.由于各种原因,这是错误的:
My wrong assumption when asking the question was that an ID token and access token should be used together, and therefore both needed to have valid expiry dates. This is wrong for various reasons:
- ID 令牌仅用于向客户端进行身份验证(如上所述).
- 访问令牌与客户端无关.它们用于访问资源,客户端仅在需要调用资源时才处理它们.
- 像独立的 MVC 或 WebForms 应用程序只需要一个 ID 令牌.如果它不调用外部资源,则没有任何可授予访问权限的内容,因此没有访问令牌.
- ID tokens are only for authenticating to a Client (as described above).
- Access tokens have nothing to do with Clients. They are for access to resources and a Client only handles them if it in turn needs to call an resource.
- Something like a standalone MVC or WebForms application only needs an ID token. If it isn't calling an external resource, there is nothing to grant access to, so no access token.
这篇关于OpenID Connect 中 ID 令牌到期时间的意图是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
