如何撤销用户作为管理员用户的访问令牌和刷新令牌? 在 Oauth2 中使用 JWT 时
[英]How to revoke the access token and refresh token of the user as an admin user? while using JWT in Oauth2
问题描述
How to revoke the access token and refresh token of the user as an admin user?
如何撤销用户作为管理员用户的访问令牌和刷新令牌? while using JWT in Oauth2.在 Oauth2 中使用 JWT 时。 is it recommended to store token in Database ?是否建议将令牌存储在数据库中?
1 个解决方案
解决方案1
0 2021-07-24 07:25:17
If you want to be able to revoke tokens, then there is no other way but to keep some data in the database.如果您希望能够撤销令牌,那么除了在数据库中保留一些数据之外别无他法。 You can either keep the concrete tokens, and mark them as revoked until they're expired, or you can keep an entry with clientID/userID and a timestamp, and do not accept tokens issued to that client/user, before the given timestamp.您可以保留具体的令牌,并将它们标记为已撤销,直到它们过期,或者您可以保留一个带有 clientID/userID 和时间戳的条目,并且在给定的时间戳之前不接受颁发给该客户端/用户的令牌。
If you want to be able to revoke access tokens, then you have to remember that all APIs, which consume that token, will have to call that database to check if the token was revoked or not.如果您希望能够撤销访问令牌,那么您必须记住,所有使用该令牌的 API 都必须调用该数据库来检查该令牌是否已被撤销。 It is usually easier to have short lived access tokens (15 or even 5 minutes), and only deal with revoking the refresh token, as the RT is only used in your Authorization Server.拥有短期访问令牌(15 甚至 5 分钟)通常更容易,并且只处理撤销刷新令牌,因为 RT 仅在您的授权服务器中使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.