什么是刷新令牌的地步? [英] what's the point of refresh token?
问题描述
我必须承认我有过很长一段时间这个问题,从来没有真正理解。
i have to confess i've had this question for a very long time, never really understand.
说身份验证令牌就像一键安全,当它过期它不再可用。我们现在给出一个神奇的刷新令牌,可用于获取其他可使用的密钥,另一个...直到神奇密钥过期。那么,为什么不只是设置身份验证令牌期满一样的刷新令牌?为什么在所有的烦恼呢?
say auth token is like a key to a safe, when it expires it's not usable anymore. now we're given a magic refresh token, which can be used to get another usable key, and another... until the magic key expires. so why not just set the expiration of the auth token as the same as refresh token? why bother at all?
什么是它的正当理由,也许是历史的一个?真的很想知道。谢谢
what's the valid reason for it, maybe a historical one? really want to know. thanks
推荐答案
的参考答案(通过@Anders)是很有帮助的。它指出〜以折衷的情况下,时间窗它是有效的,是有限的,但该令牌用于通过SSL,所以不太可能受到损害。我认为重要的是,访问令牌,往往会得到记录(如查询参数,这是有帮助的JSONP使用尤其是当),所以最好为他们是短暂的。
The referenced answer (via @Anders) is helpful. It states ~ "In case of compromise, the time window it's valid for is limited, but the tokens are used over SSL, so unlikely to be compromised." I think the important part is that access tokens will often get logged (especially when used as a query parameter, which is helpful for JSONP), so it's best for them to be short-lived.
有一些其他的原因,使用OAuth 2.0大规模实现由服务提供商:
There are a few additional reasons, with large-scale implementations of OAuth 2.0 by service providers:
-
API服务器可以安全地验证访问令牌没有DB查找或RPC调用,如果它没关系不用担心撤销。这个可以有很强的性能优势,为API服务器降低复杂性。最好的,如果你没事了撤销凭证回吐30米-60M(或任何访问令牌的长度)。当然,API服务器也可以保持在最后一小时也撤销令牌在内存中的列表中。
API servers can securely validate access tokens without DB lookups or RPC calls if it's okay to not worry about revocation. This can have strong performance benefits and lessen complexity for the API servers. Best if you're okay with a token revocation taking 30m-60m (or whatever the length of the access token is). Of course, the API servers could also keep an in-memory list of tokens revoked in the last hour too.
由于令牌可以有多个范围可以访问多个不同的API服务,有短暂的访问令牌prevents API服务的显影剂的获得终身访问用户的数据的API服务B.条块良好的安全性。
Since tokens can have multiple scopes with access to multiple different API services, having short-lived access tokens prevents a developer of API service A getting lifelong access to a user's data on API service B. Compartmentalization is good for security.
这篇关于什么是刷新令牌的地步?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
