OAuth 客户端凭据流 - 刷新令牌 [英] OAuth Client Credential Flow - Refresh Tokens
问题描述
场景
我最近构建了一个 API,并使用 OAuth 承载访问令牌保护了其资源.
I've recently built an API, and have protected its resources using OAuth Bearer Access Tokens.
我使用了 Client_Credentials 流程,因为它将由客户端而不是用户访问.
I've used the Client_Credentials Flow, as it will be accessed by clients as opposed to users.
事情是这样的,当客户端成功提供 client_id 和 client_secret 时,他们会收到如下响应:-
Here's the thing, when a client has successfully provided the client_id and the client_secret they receive a response like the following :-
{
"access_token": "<Access Token>",
"token_type": "bearer",
"expires_in": 1199,
"refresh_token": "<Refresh Token>"
}
刷新令牌.
不太了解刷新令牌,我立即假设客户端能够向 OAuth 服务器提供 refresh_token 以检索新的 Access_Token.
Not knowing much about refresh tokens, i immediately assumed that a client would be able to provide the OAuth Server the refresh_token to retrieve a fresh Access_Token.
这是有点"正确的.
为了使用refresh_token,客户端仍然需要传递client_id和client_secret以及refresh_token> 获取新的访问令牌.
In order to use the refresh_token the client still needs to pass the client_id and client_secret along with the refresh_token to get a new access token.
grant_type也需要改成refresh_token.
使用此流程的 refresh_token 的好处在哪里?如果我每次都需要传递 client_id 和 client_secret,你肯定会完全避免使用刷新令牌吗?
Where is the benefit of a refresh_token using this flow? If I need to pass the client_id and client_secret each time, surely you would just avoid using a refresh token altogether?
推荐答案
使用客户端凭据授权发布刷新令牌没有任何好处.这就是为什么 RFC6749 第 4.4.3 节 表示 不应包含刷新令牌.因此它的发布由授权服务器决定.
The issuance of a refresh token with the client credential grant has no benefit.
That is why the RFC6749 section 4.4.3 indicates A refresh token SHOULD NOT be included. Thus its issuance is at the discretion of the authorization server.
在我看来,授权服务器永远不应该使用客户端凭据授予刷新令牌,因为访问令牌颁发过程将采取额外且不必要的步骤:
From my point of view an authorization server should never issue a refresh token with the client credentials grant as the access token issuance process will take an additional and unnecessary step:
使用 client_credentials 授权类型颁发:
Issuance with the client_credentials grant type:
- 第一步:客户端身份验证(客户端机密、断言...)
- 发出 OK 访问令牌
使用 refresh_token 授权类型发行:
Issuance with the refresh_token grant type:
- 第一步:客户端身份验证(客户端机密、断言...)
- 第二步:刷新令牌验证(过期时间、关联客户端...)
- 发出 OK 访问令牌
这篇关于OAuth 客户端凭据流 - 刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
