在标题或正文上传递 jwt 刷新令牌 [英] Pass jwt refresh token on header or body
问题描述
访问令牌过期后,应重新颁发刷新令牌.
在这一点上,我有点犹豫哪种方法更好.
对于访问令牌,它为每个请求传递 HTTP 标头.
When access token is expired, it should re-issued refresh token.
At this point, I'm little hesitate which method is better.
For access token, it passed HTTP header per every request.
- 在 HTTP 标头上传递刷新令牌.
- 在 HTTP POST 正文(有效负载)上传递刷新令牌.
推荐哪一个?
推荐答案
jwt 规范建议(但不要求)在 Bearer 类型的授权标头中发送访问令牌.但是没有提到刷新令牌.
The jwt specification recommends (but does not require) sending the access tokens in an authorization header of type Bearer. But there is no mention of the refresh tokens.
刷新令牌是一个 Oauth2 概念.如果您阅读 Rfc6749 规范,以刷新访问令牌,在 POST 请求中使用表单参数发送刷新令牌
Refresh tokens are an Oauth2 concept. If you read the Rfc6749 specification, to refresh an access token, the refresh token is sent using a form parameter in a POST request
6.刷新访问令牌...
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
您可以使用oauth2的示例作为参考(在正文中传递它),虽然如果您不使用oauth2,您没有义务,所以请使用最适合您项目的方法发送.
You can use the example of oauth2 as reference (pass it in the body), although if you do not use oauth2, you have no obligation, so use the method to send that best suits your project.
这篇关于在标题或正文上传递 jwt 刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
