[英]Is it ever reasonable to revoke a refresh token after a period of time?
I read here I wonder should the server ever just revoke refresh token after a certain period of time and just force the user to login again?我在这里读到我想知道服务器是否应该在一段时间后撤销刷新令牌并强制用户再次登录? I can't remember when was the last I had to enter my login credentials for my Gmail.我不记得上次我必须输入 Gmail 的登录凭据是什么时候。
What do banks (or any site that stores sensitive data) do if a given user refreshes their token for 200 days?如果给定用户刷新令牌 200 天,银行(或任何存储敏感数据的网站)会做什么? Should they allow the user to continue to use the site?他们是否应该允许用户继续使用该网站? I understand it involves user interaction, so it's not something that is easy to automate.我知道它涉及到用户交互,所以这不是一件容易自动化的事情。
The refresh token lifetime (or enablement) is decided by an administrator who controls the assets - not by the end user.刷新令牌生命周期(或启用)由控制资产的管理员决定,而不是由最终用户决定。
Use of short lived tokens is preferred - it is technically simple and zero maintenance首选使用短命代币 - 它在技术上简单且零维护
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.