OIDC 访问令牌 - 在哪里存储?
[英]OIDC Access Token - Where to store?
问题描述
As we know there are three tokens involved in OpenIDConnect:
我们知道 OpenIDConnect 涉及三个令牌:
- Access Tokens in OIDC are by default, a random unique string, not encoded using JWT. OIDC 中的访问令牌默认为随机唯一字符串,未使用 JWT 编码。
- ID token is encoded using JWT ID 令牌使用 JWT 编码
- Refresh Tokens刷新令牌
we usually place the ID token in the cookie in httpOnly mode.我们通常以 httpOnly 模式将 ID 令牌放在 cookie 中。
My question is, where is the recommended storage of Access tokens?我的问题是,推荐的访问令牌存储在哪里? surely you need to store them in the app side.当然,您需要将它们存储在应用程序端。
1 个解决方案
解决方案1
0 已采纳 2021-01-20 12:19:43
You can store the tokens wherever you like, but the most common approaches are:您可以将令牌存储在任何您喜欢的位置,但最常见的方法是:
- Store the tokens inside the cookie.将令牌存储在 cookie 中。 If the tokens are large, then this might be a problem because the cookies might get quite big.如果令牌很大,那么这可能是个问题,因为 cookies 可能会变得很大。
- Store the tokens in a cache in memory or in a database and store a "reference" to them in the session cookie.将令牌存储在 memory 或数据库中的缓存中,并将对它们的“引用”存储在 session cookie 中。
The ID-token usually have a very short lifetime (like 5 minutes from some providers) and it is used to create local "user" object. ID-token 的生命周期通常很短(如某些提供商的 5 分钟),它用于创建本地“用户”object。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.