Oauth仅撤销访问令牌 [英] Oauth Revoke access token only
问题描述
我正在使用OAuth 2.0登录我网站中的用户。就像任何类型的网站一样,例如谷歌,Asana等。
I'm using OAuth 2.0 to log in users in my website. Just like any kind of website, e.g. Google, Asana, etc. .
我想知道的是,当用户退出时,是否有办法撤销访问令牌而不是刷新令牌。
What I would like to know is if there is a way to revoke ONLY the access token and not the refresh token when the user logs out.
这就是我的工作:
当用户登录时,我创建一个会话并获取访问令牌(以及刷新令牌)如果用户第一次登录)。当用户注销时,我只是使会话无效,但访问令牌仍然有效。
when a user logs in, I create a session and obtain the access token (and the refresh token if the user logs in for the first time). When the user logs out, I just invalidate the session but the access token is still valid.
当然,访问令牌会在一段时间后或用户再次登录Web应用程序时失效,但我想知道的是访问令牌是否可以在访问令牌失效期间失效注销过程。
Sure, the access token will invalidate after a while or when the user logs in the web app again but what I want to know is if the access token can be invalidated during the log out process.
推荐答案
作为令牌撤销行为的实现,这个问题没有通用的答案。相关的令牌是特定于授权服务器的。 Google将使刷新令牌与正在撤销的访问令牌一起失效,其他实现可能会选择不这样做。然而,其他实现甚至可能根本不提供撤销访问令牌的方法。
There's no generic answer to this question as the implementation of token revocation behavior wrt. related tokens is Authorization Server specific. Google will invalidate the refresh token together with the access token that is being revoked, other implementations may choose not to do so. Yet other implementations may not even offer a way to revoke access tokens at all.
对于Google,您可以在注销时撤消访问令牌,如 https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke 但它也会撤销关联的刷新令牌。然后,您必须再次通过授权代码流以获取新的刷新令牌,您可以尝试使用 prompt = none 来避免提示用户。
For Google you can revoke the access token upon logout as described in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke but it will also revoke the associated refresh token. You must then go through the authorization code flow again to get a new refresh token, which you could try with prompt=none to avoid the user being prompted.
这篇关于Oauth仅撤销访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
