堆栈内存溢出
  简体   繁体   English

仅Oauth撤销访问令牌

[英]Oauth Revoke access token only

 原文  2015-02-15 12:37:23       http/ authentication/ oauth-2.0

问题描述

I'm using OAuth 2.0 to log in users in my website. 我正在使用OAuth 2.0登录我的网站中的用户。 Just like any kind of website, eg Google, Asana, etc. . 就像任何类型的网站一样,例如Google,Asana等。

What I would like to know is if there is a way to revoke ONLY the access token and not the refresh token when the user logs out. 我想知道的是,是否有一种方法可以在用户注销时仅撤销访问令牌而不是刷新令牌。

This is what I do: 这是我的工作:

when a user logs in, I create a session and obtain the access token (and the refresh token if the user logs in for the first time). 当用户登录时,我创建一个会话并获取访问令牌(如果用户是首次登录,则获取刷新令牌)。 When the user logs out, I just invalidate the session but the access token is still valid. 当用户注销时,我只是使会话无效,但访问令牌仍然有效。

Sure, the access token will invalidate after a while or when the user logs in the web app again but what I want to know is if the access token can be invalidated during the log out process. 当然,一段时间后或当用户再次登录Web应用程序时,访问令牌将失效,但我想知道的是在注销过程中访问令牌是否可以失效。

1 个解决方案

解决方案1
 1 已采纳  2015-02-15 14:28:07

There's no generic answer to this question as the implementation of token revocation behavior wrt. 对于令牌撤销行为wrt的实现,没有通用的答案。 related tokens is Authorization Server specific. 相关令牌是特定于授权服务器的。 Google will invalidate the refresh token together with the access token that is being revoked, other implementations may choose not to do so. Google会将刷新令牌和被撤消的访问令牌一起无效,其他实现可能选择不这样做。 Yet other implementations may not even offer a way to revoke access tokens at all. 其他实现可能甚至根本不提供撤销访问令牌的方法。

For Google you can revoke the access token upon logout as described in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke but it will also revoke the associated refresh token. 对于Google,您可以按照https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke中所述在注销后撤消访问令牌,但也会撤消关联的刷新令牌。 You must then go through the authorization code flow again to get a new refresh token, which you could try with prompt=none to avoid the user being prompted. 然后,您必须再次执行授权代码流程,以获取新的刷新令牌,可以将其与prompt=none一起尝试,以避免提示用户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 OAuth访问令牌和刷新令牌创建 - OAuth access token and refresh token creation oauth2.0如何传递访问令牌 - oauth2.0 how to pass access token PHP-检索访问令牌-禁用隐式OAuth - PHP - Retrieve Access Token - Disable implicit OAuth 使用Boost C ++的HTTP GET请求-oauth2访问令牌 - HTTP GET request with boost c++ - oauth2 access token 为什么我会获得访问令牌? (OAuth2用户) - Why is am I getting an access token? (OAuth2) Slack OAuth HTTP Post Request 返回“undefined”访问令牌 - Slack OAuth HTTP Post Request returns "undefined" access token 如何使用 System.Net.Http 从 OAuth 请求访问令牌? 401 错误 - How to request an access token from OAuth using System.Net.Http? 401 Error 如果您不使用Google的Oauth流程请求刷新令牌,当access_token过期时会发生什么? - If you don't request a refresh token with Google's Oauth flow what happens when the access_token expires? Google HTTP / REST OAuth:授权代码请求具有数据库用户的状态,访问令牌请求没有 - Google HTTP/REST OAuth: authorisation code request has state for db user, access token request has none 如何在LinkedIn中获取访问令牌OAuth 2.0身份验证应该作为POST请求? - How is obtaining the Access Token in LinkedIn OAuth 2.0 authentication supposed to be made as a POST request?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM