OAuth访问令牌和页面刷新 [英] OAuth access token and page refreshes
问题描述
我可以看到OAuth适用于完全Ajaxified应用程序,因为本地JS代码总是可以将Bearer令牌重放到服务器。但是,如果我们有页面刷新会发生什么?在这种情况下,我假设我们丢失了令牌,然后返回OAuth重定向过程以获得新的访问令牌。这是否正确,是否存在避免这种情况的模式,例如将访问令牌存储在HTML5本地存储中?
I can see OAuth working well for a fully Ajaxified application, as the local JS code can always replay the Bearer token to the server. However, what happens if we have a page refresh? In that case I assume we lose the token and then go back through the OAuth redirect process to get yet a new access token issued. Is this correct, and are there patterns to avoid this, such as storing the access token in HTML5 local storage?
推荐答案
如果你在谈论OAuth 2.0然后你可以请求刷新令牌并访问(使用OAuth 2.0提供程序进行身份验证时,令牌或承载)令牌。刷新令牌应该直接返回到托管Web应用程序的服务器,以某种方式存储(可能是会话状态),而不是暴露给浏览器。浏览器可以使用访问令牌向需要它的安全服务/端点发出请求,但它的生命周期应该很短(无论是否有页面刷新)。当它到期时(再次可能或可能不是由于页面刷新),客户端应用程序可以向托管服务器发出刷新令牌的请求。然后,服务器可以使用刷新令牌获取新的访问令牌而无需用户再次登录。
If you're talking OAuth 2.0 then you can probably request both a refresh token and access (or Bearer) token when you authenticate with the OAuth 2.0 provider. The refresh token should be returned directly to the server hosting the web application, stored somehow (perhaps session state) and NOT ever exposed to the browser. The browser can use the access token to make requests to secured services/endpoints which require it but it should have a short lifetime (regardless of whether or not there was a page refresh). When it expires (again may or may not be due to a page refresh) the client application can make a request to the hosting server where the refresh token was delivered. The server can then use the refresh token to get a new access token WITHOUT the user needing to login again.
OAuth 2.0的使用方式有多种变化,细节可能因您的特定方案和实施而异,但希望能让您高度了解如何避免在访问令牌过期时提示用户重新进行身份验证或在页面重新加载。
There are several variations of how OAuth 2.0 can be used and details may vary with your particular scenario and implementation but hopefully that gives you a high-level idea of how you can avoid prompting the user to re-authenticate when the access token expires or on page reload.
这篇关于OAuth访问令牌和页面刷新的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
