本文介绍了存储位置 - OAuth 2.0 中的访问令牌和刷新令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


我是 OAuth 2.0 的新手,我想知道在通用电子商务网站中存储访问令牌和刷新令牌的最佳做法/位置是什么.

I am new to OAuth 2.0 and I wish to know what is the best practice / location to store access token and refresh token in generic e-commerce web site.

问题 1:
访问令牌和刷新令牌应该存储在网站中的什么位置?(cookies、网络存储或本地存储).谷歌、Dropbox 等大公司在哪里存储访问令牌和刷新令牌?

Question 1:
Where should access token and refresh token be stored in web sites? (cookies, web storage or local storage). And where big companies like google, dropbox store the access token and refresh token?

问题 2:

Question 2:
If refresh token is stored on the client side (taking browser in desktop/laptop), isn't it possible that someone has physical gain on that device able to get the refresh token and device information and use it to generate access token on other place?

问题 3:
我看到一些帖子建议客户端永远不应该存储和知道刷新令牌.那么,refresh token应该存放在哪里,这种情况下如何重新认证?

Question 3:
I have see some post that suggest that refresh token should never be stored and known by client side. Then, where should refresh token be stored and how to reauthenticate in this case?


A1:访问令牌比刷新令牌的生存时间短得多,您可以将刷新令牌存储在本地存储或服务器端的其他安全存储中;对于访问令牌,网络存储和本地存储都可以;将访问令牌存储在 cookie 中没有多大意义

A1: access token has a much shorter time-to-live than refresh token, you may store refresh token in local storage or even other secure storage on server side; for access token, both web storage and local storage are fine; storing access token in cookie does not make much sense


A2: yes, hence refresh token should not be stored on client side;


A3: stored it on server/service side

这篇关于存储位置 - OAuth 2.0 中的访问令牌和刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-17 01:43