问题描述
当JWT与自然不安全的客户端(浏览器,手机等)一起使用时,我很难理解刷新令牌的使用.
对我来说,认为如果JWT受到破坏,则刷新令牌也没有受到破坏,似乎是天真的想法.
只要刷新令牌保持有效,攻击者实质上就拥有无限JWT的来源.即使您使使用的刷新令牌无效,但如果攻击者实施稍微更积极的刷新策略,攻击者仍然会占据上风.这与受害的JWT长寿有何不同?
使用寿命长的JWT时,攻击者只有能够连续利用最初给JWT带来的任何漏洞的能力,才能继续获得有效的JWT.使用刷新令牌,他们可以使JWT一次通过漏洞,然后随心所欲地获得不受惩罚的新JWT.与长寿的JWT相比,这似乎同样安全,或者甚至更不安全.
我想念什么?
刷新令牌是可撤销的.如果它们遭到破坏,则可以立即在授权服务器上将其吊销,并且将不再生产JWT.
另一方面,JWT通常是独立的.这意味着可以通过检查令牌的数字签名在本地对它们进行验证.一旦发布,它们将无法撤消.这就是为什么它们永远不会长寿的原因.如果JWT和刷新令牌都遭到破坏,则您将撤消刷新令牌,并且一旦JWT过期,攻击者将无法获得访问权限.这可能意味着撤销不是立即的.
另一种选择是使用寿命长的参考令牌,而不是JWT和刷新令牌.在这种情况下,可以立即撤销.缺点是参考令牌的每次使用都需要根据授权服务器进行验证.
I'm having a hard time understanding the use of refresh tokens when using JWT's with naturally insecure clients (browsers, mobile phones, etc.).
To me, it seems naive to think that if a JWT has been compromised the refresh token has not also been compromised.
The attacker essentially has a source of unlimited JWT's as long as the refresh token remains valid. Even if you invalidate used refresh tokens the attacker still has the upper hand if they implement a slightly more aggressive refresh policy. How is this different from a compromised long-lived JWT?
When using a long-lived JWT the attacker can only continue getting valid JWT's if they have the ability to continuously exploit whatever vulnerability gave them the JWT in the first place. With refresh tokens, they can get the JWT through a vulnerability once and then get new JWT's with impunity however they like. This seems either equally secure or perhaps even less secure than long-lived JWT's.
What am I missing?
Refresh tokens are revokable. If they are compromised they can immediately be revoked on the authorization server and no more JWTs will be produced.
JWTs, on the other hand, are usually self-contained. That means they are validated locally by checking a token's digital signature. Once issued they can not be revoked. That's why they should never be long-lived.
If both the JWT and refresh token get compromised, you would revoke the refresh token and the attacker would not get access once the JWT has expired. This might mean the revocation is not immediate.
Another option is to use long-lived reference tokens instead of the JWT and refresh token. In this case, immediate revocation is possible. The downside is that each use of the reference token needs to be validated against the authorization server.
这篇关于刷新令牌比长寿的JWT如何更安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!