存储来自多个提供商的访问和刷新令牌?
[英]Storing Access & Refresh tokens from multiple Providers?
问题描述
Say I am allowing my users to connect to Facebook, Instagram, Pinterest & Twitter, so they can use their API's.
假设我允许我的用户连接到 Facebook、Instagram、Pinterest 和 Twitter,这样他们就可以使用他们的 API。 So I get access tokens for all those providers.因此,我获得了所有这些提供商的访问令牌。
From what I've read, my inclination now is to store them in a http-only cookie.根据我的阅读,我现在倾向于将它们存储在一个仅限 http 的 cookie 中。
However, with 4 access tokens, would that mean that all 4 access tokens are always being sent on every request?但是,如果有 4 个访问令牌,是否意味着所有 4 个访问令牌总是在每次请求时发送?
What would be a secure approach here?这里的安全方法是什么? Or would I in this case not store them on the client at all?还是在这种情况下我根本不会将它们存储在客户端上?
1 个解决方案
解决方案1
1 2022-02-08 07:57:03
It depends on the exact architecture of your solution.这取决于您的解决方案的确切架构。 If you have a backend, and your backend calls these APIs then you can keep those tokens in your backend.如果您有后端,并且您的后端调用这些 API,那么您可以将这些令牌保留在后端。 They don't have to be kept in the front-end at all.它们根本不必保留在前端。 If your front-end needs those tokens (eg it is calling these APIs directly), then you have to keep the tokens there, and they have to be readable by your frontend app (so they can't be stored in an HTTP-only cookie).如果您的前端需要这些令牌(例如,它直接调用这些 API),那么您必须将令牌保存在那里,并且它们必须可以被您的前端应用程序读取(因此它们不能存储在仅 HTTP 中曲奇饼)。
I would struggle not to have any tokens in the browser.我会努力让浏览器中没有任何令牌。 It's best to keep them in the backend.最好将它们保留在后端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.