带有OAuth 2.0刷新令牌的PHP控制台应用程序,如何存储?
[英]PHP Console Application with OAuth 2.0 Refresh Tokens, how to store?
问题描述
I am working on a PHP project that utilizes the API from a few services. 
我正在一个PHP项目中,该项目利用了一些服务中的API。 For a single API, it uses OAuth 2.0 authorization to authenticate the application's API access. 对于单个API,它使用OAuth 2.0授权来验证应用程序的API访问权限。 However, I am unsure how I should approach the process to authenticate a local console application. 但是,我不确定如何处理身份验证本地控制台应用程序的过程。
I would not be using a webflow to authenticate the API, as my PHP script runs in a local console. 我不会使用Webflow来对API进行身份验证,因为我的PHP脚本在本地控制台中运行。 The API allows for the retrieving of the access token and refresh token by entering my username and password (they recommend this only for console applications). 该API允许通过输入我的用户名和密码来检索访问令牌和刷新令牌(它们仅建议用于控制台应用程序)。
Once I get the access token, I may use it to make API requests. 一旦获得访问令牌,就可以使用它来发出API请求。 This works fine. 这很好。 However, I am unsure what to do with my refresh token. 但是,我不确定如何使用刷新令牌。 The API consumes refresh tokens as such: API使用如下刷新令牌:
/oauth2/access_token/ (Refresh token usage)
Context: Client's Web Server
Required arguments: refresh_token, grant_type=refresh_token, client_id, client_secret
Access token scope: None
On success, a JSON response is returned to the client:
{
"access_token": a valid access token,
"scope": scope as given in authorize,
"expires_in": seconds to expiry,
"refresh_token": a token that can be used to get a new access token
}
Consuming a refresh token will immediately expire the related access token.
From what I gather from this, my authentication process should be something like this: 从我收集到的信息来看,我的身份验证过程应如下所示:
- Initial authentication - pass username/password via environment variable, get the access/refresh token from response 初始身份验证-通过环境变量传递用户名/密码,从响应中获取访问/刷新令牌
- Store the refresh token? 存储刷新令牌? Check for the expiry of the initial access token 检查初始访问令牌是否已到期
- If initial access token has expired, pull refresh token from file and make a request for a new access/refresh token 如果初始访问令牌已过期,请从文件中提取刷新令牌并请求新的访问/刷新令牌
- Store new refresh token? 是否存储新的刷新令牌?
Does this sound like the correct authentication flow? 这听起来像是正确的身份验证流程吗? Is there a specific way I should be storing the refresh token? 有没有应该存储刷新令牌的特定方法? I am aware there may be a lot of security concerns for simply storing the refresh token in a text file, as it has the ability to give complete access to my account. 我知道,仅将刷新令牌存储在文本文件中可能会涉及很多安全问题,因为它可以完全访问我的帐户。 Are there any better alternatives? 有更好的选择吗?
Thanks! 谢谢!
1 个解决方案
解决方案1
2 2014-10-25 16:23:42
Authentication flow is fine. 验证流程很好。 For more detailing and validation, you can read https://tools.ietf.org/html/rfc6749 . 有关更多详细信息和验证,您可以阅读https://tools.ietf.org/html/rfc6749 。
You can store 'Refresh token' either in file or db using encryption key and this MUST only be transmitted using TLS. 您可以使用加密密钥将“刷新令牌”存储在文件或db中,并且必须仅使用TLS进行传输。 'Refresh token' is used in senerios where server do want to some scheduled background activities like accessing of profile and related data from other oAuth server based on previous stored access token without asking user name and password again over and again. “刷新令牌”用于senerios中,服务器确实希望进行一些计划的后台活动,例如根据以前存储的访问令牌从其他oAuth服务器访问配置文件和相关数据,而无需一再询问用户名和密码。 If in case 'Access token' is invalidated then 'Refresh token' will be used to get new 'Access token' to serve purpose. 如果“访问令牌”无效,则将使用“刷新令牌”获取新的“访问令牌”以达到目的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.