英文:
How to adjust Access Token / Refresh Token when log out?
问题
我正在开发一个身份验证系统,当用户登录时返回访问/刷新令牌。访问令牌的生命周期较短,而刷新令牌的生命周期为30天。
当用户注销时,我会将其访问令牌添加到实施黑名单的Redis存储中,以使其无效。那么他的刷新令牌应该怎么处理呢?它将继续存在,用户可以在注销后访问其他页面,从而获得新的访问令牌。我应该将其与访问令牌一起阻止吗?因为我认为仅仅从cookies中删除它会导致问题,因为其签名仍然有效。
英文:
I'm developing an authentication system that returns access/refresh tokens when a user logs in. The access token has a short lifetime, whereas the refresh token has a 30 day lifetime.
When a user logs out, I invalidate his access token by adding it to a Redis storage that implements a blacklist. What should I do with his refresh token? It will continue living and the user can access another page after logging out, which results in receiving a new access token. Should I block it with the access token? Because I think that simply removing it from cookies will cause problems because its signature is still valid.
答案1
得分: 1
如果您在用户登录时使用OAuth 2.0(特别是使用刷新令牌),那么这并不是最佳解决方案,因为公共客户端无法安全地存储刷新令牌(建议使用OIDC)。
回到问题,这取决于业务需求和实施方式,如果用户注销后仍然可以在相同用户上下文中使用应用程序,那么您还应该使刷新令牌无效。
要更好地理解基于浏览器的应用程序的OAuth 2.0,请查看此文档:https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-10.html
英文:
If you use OAuth 2.0 for user login (especially with refresh token) then it is not the best solution, because public client cannot store securely refresh token (OIDC is preferred).
Back to the question, it depends on business requirements and implementation, if you can still use application after logout for same user context due to refresh token then you should also invalidate refresh token.
To better understand OAuth 2.0 with browser based applications please check this document: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-10.html
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论