如何在浏览器上存储Laravel护照令牌以及如何以及何时发送刷新令牌
[英]How to store laravel passport token on browser and how and when to send refresh token
问题描述
I am using laravel passport to generate access token and refresh token. 
我正在使用Laravel护照来生成访问令牌和刷新令牌。
How and when to check if token is expired and how to request for new token? 如何以及何时检查令牌是否过期以及如何请求新令牌?
1 个解决方案
解决方案1
0 2017-07-25 06:39:38
If you have a JavaScript application, you should probably use the OAuth2 Implicit flow which gives you an access token and its expiration time. 如果您有JavaScript应用程序,则可能应该使用OAuth2隐式流程,该流程为您提供访问令牌及其过期时间。 So don't use the Autorization Code Grant flow which works with refresh tokens - it requires a client secret which you cannot keep safe in a browser. 因此,请勿使用与刷新令牌配合使用的“自动化代码授予”流程-它需要客户端密码,您无法在浏览器中确保此密码的安全。
When you get an access token, schedule its refresh using window.setTimeout() . 当您获得访问令牌时,请使用window.setTimeout()安排其刷新。 You could refresh it without user interaction using the request parameter prompt=none (see OpenID Connect RFC ). 您可以使用请求参数prompt=none刷新它而无需用户干预(请参阅OpenID Connect RFC )。 If the token gets invalidated before its regular timeout, you will get an "HTTP 401 Unauthorized" response from a backend. 如果令牌在其正常超时之前变得无效,则您将从后端获得“ HTTP 401未经授权”响应。 In such case, check the token validity and get a new one if necessary. 在这种情况下,请检查令牌的有效性并在必要时获取一个新的令牌。
It's not a good idea to have the access token as a cookie, because it gets attached to every request (with the same domain, port and possibly path), which may be a security problem. 将访问令牌作为cookie并不是一个好主意,因为它会附加到每个请求(具有相同的域,端口和可能的路径)中,这可能是一个安全问题。 Keep it in sessionStorage . 将其保存在sessionStorage 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.