英文:
JWT - What if the refresh token is compromised?
问题
据我理解,JWT令牌包括两部分:
访问令牌(短期有效性)
刷新令牌(长期有效性)
将访问令牌保持短期有效的目的是,如果它被泄露,用户在其过期后将无法访问资源。
将刷新令牌保持长期有效的目的是,如果访问令牌过期,刷新令牌可以用于生成新的访问令牌或增加访问令牌的过期时间。
我的问题是,如果刷新令牌被泄露怎么办?在这种情况下,将访问令牌保持短期有效的整个目的是什么?因为黑客可以使用窃取的刷新令牌每次访问令牌过期时都重新发放新的访问令牌。
可以有人解释一下吗?
英文:
As far as I understand a JWT token has two parts
access token (short validity)
refresh token (long validity)
The purpose of keeping the access token short lived is if it gets compromised, the user will not be access the resource after its expiry.
The purpose of keeping the refresh token long lived is if the access token gets expired, the refresh token can then be used to generate a new access token OR increase the expiry time of the access token.
My question is, what if the refresh token gets compromised? In that case what is the whole point of keeping the access token short lived? Because the hacker can then keep reissuing a new access token each time it gets expired using the stolen refresh token.
Can someone explain to me please?
答案1
得分: 1
你对访问令牌和刷新令牌的理解是正确的。
访问令牌确实是短期有效的,用于验证对服务器的单个请求。这些令牌设计成可以传递并可能在不安全的环境中暴露,因此寿命较短。
另一方面,刷新令牌是长期有效的,用于在当前访问令牌过期时获取新的访问令牌。刷新令牌通常由客户端安全地存储,并且不会在每个请求中发送,从而降低被拦截的可能性。通常只在安全环境中使用,通常仅与HTTPS一起使用。
正如你提到的,如果刷新令牌被泄露,攻击者可以使用它来获取新的访问令牌。这确实是一个严重的风险,这就是为什么必须尽可能安全地存储和传输刷新令牌的原因。
此外,刷新令牌通常配有其他安全机制来管理风险:
-
撤销能力:服务器可以撤销刷新令牌。应在用户注销时、用于发放新的刷新令牌时或检测到任何可疑活动时撤销它们。如果刷新令牌被泄露,服务器或合法客户端意识到这一点后,可以通过撤销它使令牌无效。
-
刷新令牌轮换:一些实现使用刷新令牌轮换策略。这意味着每当客户端使用刷新令牌获取新的访问令牌时,还会返回一个新的刷新令牌。以前的刷新令牌将被作废。因此,如果刷新令牌被盗取,合法客户端使用有效的刷新令牌获取新的访问令牌对时,服务器将注意到被盗刷新令牌再次被使用,并可以阻止用户帐户或采取其他适当的安全措施。
-
有限使用:刷新令牌通常被限制为特定操作。它们可能不会授予用户资源的完全访问权限,只能获取新的访问令牌的能力。
希望这对访问令牌和刷新令牌的理解有所帮助。
英文:
You are on the right track with your understanding of access and refresh tokens.
Access tokens are indeed short-lived and are used to authenticate individual requests to a server. These tokens are designed to be passed around and possibly exposed in insecure environments, hence the short lifespan.
On the other hand, refresh tokens are long-lived and are used to obtain new access tokens when the current one expires. The refresh token is typically stored securely by the client and not sent in every request, reducing the likelihood of it being intercepted. It is usually used only in a secure environment and typically with HTTPS only.
As you mentioned, if the refresh token is compromised, an attacker could use it to obtain new access tokens. This is indeed a serious risk, which is why refresh tokens must be stored and transmitted as securely as possible.
Additionally, refresh tokens often come with other security mechanisms to manage risk:
Revoke ability: Refresh tokens can be revoked by the server. They should be revoked when the user logs out, when they are used to issue a new refresh token, or if any suspicious activity is detected. If a refresh token is compromised and the server or the legitimate client realizes this, they can make the token useless by revoking it.
Rotation of Refresh Tokens: Some implementations use a refresh token rotation strategy. This means that each time a client uses a refresh token to get a new access token, a new refresh token is also returned. The previous refresh token is invalidated. Therefore, if a refresh token is stolen and the legitimate client uses the valid refresh token to get a new pair of access and refresh tokens, the server will notice that the stolen refresh token is being used again and can block the user account or take other appropriate security actions.
Limited use: Refresh tokens are often scoped to certain actions. They may not grant full access to a user’s resources, only the ability to get a new access token.
I hope this clarifies a bit about the access and refresh tokens.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论