英文:
How can i validate the user's identity when i want to use the refresh token to get a new access token after the previous access token expired?
问题
以下是翻译好的部分:
假设我开发了一个集成了Google登录的网站。
当用户使用Google登录时,我会获得一个授权码。
在网站的后端,我使用授权码来获取访问令牌(access_token)和刷新令牌(refresh_token),然后将访问令牌返回给前端。
网站提供一个函数,通过访问令牌获取用户的Google信息。
当访问令牌过期时,如果用户使用该函数,后端使用访问令牌请求Google API将返回令牌已过期的错误。
我可以使用后端存储的用户刷新令牌来请求新的访问令牌。
但如何验证请求是由刷新令牌的所有者发起的呢?
英文:
Suppose I develop a website which integrate Google login.
When a user login with Google, I got an authorization code.
In the backend of the website, I use the authorization code to get the access_token and refresh_token. And return the access_token to the frontend.
And the website provide a function to get user's Google info through the access_token.
When the access_token expired, If the user use that function, the backend use the access_token request Google API will return token expired.
I can use the user's refresh_token stored in backend to request s new access_token.
But how can I validate the request is invoked by the refresh_token's owner?
答案1
得分: 1
一旦原始身份验证令牌已经颁发,保管令牌的责任在于持有者,而不是服务器。
在颁发刷新令牌时,责任仍然由持有者承担。
处理令牌的服务器端安全性由以下文档涵盖:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding
英文:
Once the original authentication token has been issued, it is the bearer's responsibility to keep it secure, and not the servers.
When issuing refresh tokens, the cone of responsibility remains with the bearer.
Dealing with the server-side security of tokens is covered by
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论