英文:
When someone requests a new Refresh Token, should I update the new Refresh Token's expiry date?
问题
当客户端请求新的刷新令牌时,API 应该更新新刷新令牌的过期日期吗,还是只应该返回新的访问令牌和刷新令牌,而不更新刷新令牌的过期日期?
我正在按照这个指南来实现刷新令牌:
https://www.c-sharpcorner.com/article/jwt-authentication-with-refresh-tokens-in-net-6-0/
在控制器的 refresh-token 端点中有一些代码来更新用户的刷新令牌,但它没有更新 RefreshTokenExpiryTime,这是一个错误吗?
而在控制器的 login 端点中,他同时更新了用户的刷新令牌和 RefreshTokenExpiryTime。在控制器的 refresh-token 端点中也应该做同样的事情吗?
英文:
When the client requests a new Refresh Token, should the Api update the new Refresh Token's expiry date or should I only send back a new Access Token and Refresh token, without updating the expiry date of Refresh Token?
I was following this guide to implement Refresh Tokens:
https://www.c-sharpcorner.com/article/jwt-authentication-with-refresh-tokens-in-net-6-0/
In the refresh-token endpoint of controller there is some code that updates the refresh token of the user, but it isn't updating the RefreshTokenExpiryTime as well, is this a mistake?
While in the login endpoint of the controller he is updating the refresh token of the user as well as the RefreshTokenExpiryTime. Shouldn't the same also be done in refresh-token endpoint of controller?
答案1
得分: 1
我明白问题的含义如下:
客户端正在向身份提供者请求一个新的刷新令牌。身份提供者应该如何处理这个请求?
短答案是:
每次生成刷新令牌时,都需要从头开始创建一个新的刷新令牌。
这是因为刷新令牌应该始终在另一个刷新周期内有效。不重置新刷新令牌的到期时间没有太多意义。此外,在身份提供者中实现这种逻辑会更加复杂。
以下是来自公共身份提供者的示例:
Microsoft Identity Platform
我可以给出Microsoft Identity Platform在这种情况下的示例:
每次使用时,刷新令牌都会用新的令牌替换
链接:https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
Auth0
还有来自Auth0的示例:
每次将刷新令牌交换以获得新的访问令牌时,到期时间都会更新
链接:https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration
让我们查看RFC 6749“OAuth 2.0授权框架”:
+--------+ +---------------+
| |--(A)-------授权授予--------->| |
| | | |
| |<-(B)-----------访问令牌 -------------| |
| | & 刷新令牌 | |
| | | |
| | +----------+ | |
| |--(C)----访问令牌---->| | | |
| | | | | |
| |<-(D)-受保护的资源 --| 资源 | | 授权 |
| Client | | 服务器 | | 服务器 |
| |--(E)----访问令牌---->| | | |
| | | | | |
| |<-(F)-无效令牌错误 -| | | |
| | +----------+ | |
| | | |
| |--(G)-----------刷新令牌 ----------->| |
| | | |
| |<-(H)-----------访问令牌 -------------| |
+--------+ & 可选的刷新令牌 +---------------+
它定义了刷新令牌如下:
1.5. 刷新令牌
刷新令牌是用于获取访问令牌的凭据。授权服务器向客户端颁发刷新令牌,用于在当前访问令牌无效或到期时获取新的访问令牌。颁发刷新令牌是授权服务器酌情而定的,刷新令牌是一个代表资源所有者授权的字符串。该字符串通常对客户端不透明。该令牌表示用于检索授权信息的标识符。与访问令牌不同,刷新令牌仅用于授权服务器,并且不会发送到资源服务器。
链接:https://www.rfc-editor.org/rfc/rfc6749#section-1.5
在刷新访问令牌时,还有一些关于生成新刷新令牌的规则:
- 刷新访问令牌
授权服务器可以发放新的刷新令牌,在这种情况下,客户端必须丢弃旧的刷新令牌,并替换为新的刷新令牌。授权服务器可以在向客户端发放新的刷新令牌后吊销旧的刷新令牌。如果发放了新的刷新令牌,刷新令牌的范围必须与客户端在请求中包含的刷新令牌的范围相同。
链接:https://www.rfc-editor.org/rfc/rfc6749#section-6
此外,还有关于刷新令牌轮换的一些建议:
10.4. 刷新令牌
... 授权服务器可以采用刷新令牌轮换,即在每次访问令牌刷新响应中发放新的刷新令牌。旧的刷新令牌将被吊销但由授权服务器保留。如果刷新令牌受到威胁并随后被攻击者和合法客户端同时使用,其中一个将呈现一个无效的刷新令牌,这将通知授权服务器存在违规行为。
链接:https://www.rfc-editor.org/rfc/rfc6749#section-10.4
我根据RFC的内容理解如下:
- 您可以配置授权服务器以生成刷新令牌。或者您可以决定根本不使用刷新令牌。
- 您可以配置授权服务器在每次生成访问令牌时发放新的刷新令牌。
- 每当发放新的刷新令牌时,它应该是一个全新的刷新令牌。这意味着每次发放新的刷新令牌时都是相同的方式。无论是第一个刷新令牌还是第二个刷新令牌,都没有区别。
英文:
So, I understand the question in this way:
> A client is requesting a new Refresh Token from an Identity Provider. What should Identity Provider do about this?
Short answer
You need to create a new Refresh Token from scratch every time a Refresh Token is generated.
It makes sense as Refresh Tokens should be always valid for another refresh period. There is not much sense to not reset an expiration time of a new Refresh Token. Also, it's more complicated to implement such a logic in the Identity Provider.
Examples from Public Identity Providers
Microsoft Identity Platform
I can give an example of what Microsoft Identity Platform does in such a case:
> Refresh tokens replace themselves with a fresh token upon every use
>
> https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
Auth0
Also, there is an example from Auth0:
> The expiration period is renewed each time the refresh token is exchanged for a new access token within the interval.
>
> https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration
Let's look into RFC 6749 "The OAuth 2.0 Authorization Framework"
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
It defines Refresh Tokens as:
> 1.5. Refresh Token
>
> Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires <...>
>
> Issuing a refresh token is optional at the discretion of the authorization server.
>
> A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
>
> https://www.rfc-editor.org/rfc/rfc6749#section-1.5
There are also rules on creating a new Refresh Token when refreshing an Access Token:
> 6. Refreshing an Access Token
>
> The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
>
> https://www.rfc-editor.org/rfc/rfc6749#section-6
Also, there are some notes on Refresh Token rotation:
> 10.4. Refresh Tokens
>
> ... authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach.
>
> The authorization server MUST ensure that refresh tokens cannot be generated, modified, or guessed to produce valid refresh tokens by unauthorized parties.
>
> https://www.rfc-editor.org/rfc/rfc6749#section-10.4
I read the RFC in that way:
- You can configure Authorization Server to generate Refresh Tokens. Or you can decide not to use Refresh Tokens at all.
- You can configure Authorization Server to issue a new Refresh Token every time an Access Token generated.
- Whenever a new Refresh Token is issued, it should be a new and fresh Refresh Token. It means, that new Refresh Token is issued exactly in the same way every time. There is no difference if it is a first Refresh Token or a second one.
答案2
得分: 0
如果你正在使用刷新令牌轮换,那么我认为你可能不应该在每个新的刷新令牌上重置到期时间。这样做的原因是为了防止被盗的刷新令牌无限期使用。
这一点在IETF OAuth 2.0 for Browser-Based Apps的一份草案BCP(最佳当前实践)中也提到了,详情请参见这里。现在,这个BCP是为在基于浏览器的应用程序中使用刷新令牌的特定情境而制定的,但我认为你可能可以更广泛地提出相同的基本论点,关于刷新令牌。
以下是BCP中的一些关键部分 -
特别地,授权服务器:
...
在发出轮换的刷新令牌时,如果刷新令牌有预先设定的过期时间,绝不能将新刷新令牌的寿命延长超过初始刷新令牌的寿命。
例如:
用户授权一个应用,发出一个有效期1小时的访问令牌和一个有效期24小时的刷新令牌
1小时后,初始访问令牌过期,应用使用刷新令牌获取新的访问令牌
授权服务器返回一个新的访问令牌,有效期1小时,和一个新的刷新令牌,有效期23小时
重复这个过程,直到从初始授权开始已经过去了24小时
此时,当应用程序尝试在24小时后使用刷新令牌时,请求将失败,应用程序将需要用户进行新的授权请求
通过将整个刷新令牌的寿命限制在初始刷新令牌的寿命内,可以确保被盗的刷新令牌不能无限期使用。
英文:
If you're using refresh token rotation, then IMO you probably shouldn't reset the expiry on each new refresh token. The reason for this is so that stolen refresh tokens cannot be used indefinitely.
This same point is made in a draft IETF BCP (best current practice) for OAuth 2.0 for Browser-Based Apps - see here. Now this BCP is for a very specific scenario when using refresh tokens in browser based apps, but I think you could probably make the same underlying argument more broadly about refresh tokens.
Here's some of the key bits from the BCP -
> In particular, authorization servers:
>
> ...
>
> upon issuing a rotated refresh token, MUST NOT extend the lifetime of
> the new refresh token beyond the lifetime of the initial refresh token
> if the refresh token has a preestablished expiration time
>
> For example:
>
> * A user authorizes an application, issuing an access token that lasts 1
> hour, and a refresh token that lasts 24 hours
>
> * After 1 hour, the
> initial access token expires, so the application uses the refresh
> token to get a new access token
>
> * The authorization server returns a new
> access token that lasts 1 hour, and a new refresh token that lasts 23
> hours
>
> * This continues until 24 hours pass from the initial
> authorization
>
> * At this point, when the application attempts to use the
> refresh token after 24 hours, the request will fail and the
> application will have to involve the user in a new authorization
> request
>
> By limiting the overall refresh token lifetime to the lifetime
> of the initial refresh token, this ensures a stolen refresh token
> cannot be used indefinitely.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论