OIDC 是否明确处理多个设备的刷新令牌交换?
Does OIDC explicitly handle refresh token exchange for multiple devices?
这个问题的灵感来自于这个answer and question
我还使用该方法通过为设备 ID 存储每个设备的刷新令牌来处理用户可以登录和注销多个设备的情况。我假设各种额外的检查应该可用于刷新令牌交换:检查 Web 应用程序的 IP、检查移动应用程序的设备 ID、节流等。
我原以为 OIDC 会以某种方式满足单个用户在多个设备上的流量,但在尝试研究规范后我不能说我看到了。基本上,我的问题是,OIDC 是隐式还是显式解决这些问题?我没看错吗,不支持这个,要处理它,需要自定义非 OIDC 方法吗?
Each device/application is its own client in OpenID connect. So how will the clients know when the user logged out? You can do this in many way.
- You can have short access token lifetime, like minutes and you will not get any new access tokens if the user has logged out.
2 API's can manually call the token introspection endpoint using the received access token and get the current status of the user (the active flag).
- You client can also query the Identity provider for the user status.
- Using an iframe in your browser to periodically query the provider for the user status.
So, you have many alternatives here.
这个问题的灵感来自于这个answer and question
我还使用该方法通过为设备 ID 存储每个设备的刷新令牌来处理用户可以登录和注销多个设备的情况。我假设各种额外的检查应该可用于刷新令牌交换:检查 Web 应用程序的 IP、检查移动应用程序的设备 ID、节流等。
我原以为 OIDC 会以某种方式满足单个用户在多个设备上的流量,但在尝试研究规范后我不能说我看到了。基本上,我的问题是,OIDC 是隐式还是显式解决这些问题?我没看错吗,不支持这个,要处理它,需要自定义非 OIDC 方法吗?
Each device/application is its own client in OpenID connect. So how will the clients know when the user logged out? You can do this in many way.
- You can have short access token lifetime, like minutes and you will not get any new access tokens if the user has logged out. 2 API's can manually call the token introspection endpoint using the received access token and get the current status of the user (the active flag).
- You client can also query the Identity provider for the user status.
- Using an iframe in your browser to periodically query the provider for the user status.
So, you have many alternatives here.