问题描述
我正在构建一个移动应用并使用 JWT 进行身份验证.
I'm building a mobile app and am using JWT for authentication.
似乎最好的方法是将 JWT 访问令牌与刷新令牌配对,以便我可以随时使访问令牌过期.
It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want.
- 刷新令牌是什么样的?是随机字符串吗?那个字符串是加密的吗?是另一个 JWT 吗?
- 刷新令牌将存储在用户模型的数据库中以供访问,对吗?在这种情况下,它似乎应该被加密
- 我是否会在用户登录后发回刷新令牌,然后让客户端访问单独的路由以检索访问令牌?
推荐答案
假设这是关于 OAuth 2.0,因为它是关于 JWT 和刷新令牌...:
Assuming that this is about OAuth 2.0 since it is about JWTs and refresh tokens...:
就像访问令牌一样,原则上刷新令牌可以是任何东西,包括您描述的所有选项;当授权服务器想要无状态或想要对呈现它的客户端强制实施某种拥有证明"语义时,可以使用 JWT;请注意,刷新令牌与访问令牌的不同之处在于它不会提供给资源服务器,而只会提供给首先发布它的授权服务器,因此 JWTs-as-access-tokens 的自包含验证优化确实如此不持有刷新令牌
just like an access token, in principle a refresh token can be anything including all of the options you describe; a JWT could be used when the Authorization Server wants to be stateless or wants to enforce some sort of "proof-of-possession" semantics on to the client presenting it; note that a refresh token differs from an access token in that it is not presented to a Resource Server but only to the Authorization Server that issued it in the first place, so the self-contained validation optimization for JWTs-as-access-tokens does not hold for refresh tokens
这取决于数据库的安全性/访问;如果其他方/服务器/应用程序/用户可以访问数据库,则可以(但您的里程可能因您存储加密密钥的位置和方式而异...)
that depends on the security/access of the database; if the database can be accessed by other parties/servers/applications/users, then yes (but your mileage may vary with where and how you store the encryption key...)
授权服务器可以同时发布访问令牌和刷新令牌,这取决于客户端用于获取它们的授权;该规范包含每个标准化赠款的详细信息和选项
an Authorization Server may issue both access tokens and refresh tokens at the same time, depending on the grant that is used by the client to obtain them; the spec contains the details and options on each of the standardized grants
这篇关于JWT 刷新令牌流的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!