OAuth2刷新令牌。 如何在客户端存储它
[英]OAuth2 Refresh Token. How to store it on client-side
问题描述
There is Authorization OAuth2 Server to get access+refresh token . 
有授权OAuth2服务器来获取访问+刷新令牌 。 As far as i understand, access token can be stored on client-side , because it has short live circle. 据我所知, 访问令牌可以存储在客户端 ,因为它有短暂的循环。 But can refresh token be stored there? 但是可以刷新令牌吗? According information that I've read, there is no secure way to do it (here) 根据我读过的信息,没有安全的方法(这里)
So, I have to implement separate server-side service, just to store refresh token . 所以,我必须实现单独的服务器端服务,只是为了存储刷新令牌 。
Am I right? 我对吗? Is it only one possible way to store refresh token ? 它只是存储刷新令牌的一种可能方式吗?
PS Client-side: angularJS PS客户端:angularJS
1 个解决方案
解决方案1
1 已采纳 2016-02-19 14:47:39
Yes you are right. 是的,你是对的。 If you cannot authenticate with the Authorisation server (ie pass client ID and secret) then you will only get a short-lived access token. 如果您无法通过授权服务器进行身份验证(即传递客户端ID和密钥),那么您将只获得一个短期访问令牌。
As Angular code is on the client it would be insecure for it to hold your client secret. 由于Angular代码在客户端上,因此保密客户端是不安全的。 Therefore you can not pass your client secret to the Auth server, so you can not authenticate. 因此,您无法将客户端密钥传递给Auth服务器,因此无法进行身份验证。
Also your server code would not just store a token, it would be expected to host an endpoint which would accept an auth code and then call the Auth server with that code (and your client credentials) to get a token and refresh token. 此外,您的服务器代码不仅会存储令牌,还需要托管一个接受授权代码的端点,然后使用该代码(以及您的客户端凭据)调用Auth服务器以获取令牌和刷新令牌。
The auth code would be supplied to your server endpoint via a call from the auth server via an http redirect following successful user login and user granting access to your app. 在成功的用户登录和用户授予对您的应用程序的访问权限之后,auth代码将通过来自auth服务器的调用通过http重定向提供给您的服务器端点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.