为什么访问令牌不再有过期时间?
Why access token has no longer expiry time?
我正在尝试在我的应用程序中使用 Jwt 实现 Oauth2。我有一个疑问是为什么我需要更短的 access_token 到期时间和更长的 refresh_token.
到期时间
我的意思是我可以有一个有效期更长的access_token,我会像保护refresh_token一样保护access_token,没有必要refresh_token 而已。这有意义吗?
因此,如果我在我的应用程序中忽略 refresh_token,我会面临任何可用性问题或安全问题吗?
见RFC 6749:
1.5. Refresh Token
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token (i.e., step (D) in
Figure 1).
A refresh token is a string representing the authorization granted to
the client by the resource owner. The string is usually opaque to
the client. The token denotes an identifier used to retrieve the
authorization information. Unlike access tokens, refresh tokens are
intended for use only with authorization servers and are never sent
to resource servers.
我正在尝试在我的应用程序中使用 Jwt 实现 Oauth2。我有一个疑问是为什么我需要更短的 access_token 到期时间和更长的 refresh_token.
我的意思是我可以有一个有效期更长的access_token,我会像保护refresh_token一样保护access_token,没有必要refresh_token 而已。这有意义吗?
因此,如果我在我的应用程序中忽略 refresh_token,我会面临任何可用性问题或安全问题吗?
见RFC 6749:
1.5. Refresh Token
Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token (i.e., step (D) in Figure 1).
A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.