stackoom
  简体   繁体   中英

Is it necessary to check refresh tokens ownership to issue new access tokens?

 原文  2020-06-04 15:43:59       python/ jwt/ refresh-token

Question

I'm not sure to really understand how refresh tokens are supposed to be stored/checked . From this reference and other things I've read I feel like it makes sense to store ownership of every refresh token. This information can then be used to revoke some given user's refresh tokens and also to create new access token for the specified user. (Correct me if I'm wrong)

But does it make sense to try to check the user's identity when he tries to get new access token? For example, I just have this simple check in the refresh token endpoint :

async def refresh_access_token(request):
    data = await request.form()
    query = database.session.query(RefreshToken)
    refresh_token = query.filter(RefreshToken.id == data['refresh_token']).first()
    if refresh_token is None or refresh_token.expires < utcnow():
        raise SomeError("...")

And this is pretty much the only thing I do before issuing a new access token for the user associated with this refresh_token (I send a second request to get the user from my database using the owner's identifier from this refresh_token ).

Would it make sense to also ask the user for its identity? For example using a (potentially expired) access token? Or should the refresh token be self sufficient?

Again, for the example and maybe disambiguation:

    access_token = request.headers['Authorization']
    payload = jwt.decode(access_token, str(JWT_SECRET_KEY), options={'verify_exp': False})

The code jwt.decode would raise InvalidSignatureError if the signature didn't match. ( jwt come from PyJWT ).

Is adding this kind of identity check before issuing the new access token bad/good/essential?

1 answers

solution1
 1 ACCPTED  2020-06-04 15:59:56

Is it necessary to check refresh tokens ownership

The short answer here would be no it's not apart of any OAuth2 RFC.

However something that an application may enforce is the refresh token and client id and/or secret association.

A refresh request should look like the example below

POST /oauth/token HTTP/1.1
Host: authorization-server.com

grant_type=refresh_token
&refresh_token=xxxxxxxxxxx
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

No other client should have the secret associated to a given refresh token, each client typically is only given one so many application check the "ownership" of the refresh token to make sure it has not been compromised.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Refreshing google access tokens with the refresh tokens Personal Access Tokens, User Tokens Get access tokens of groupon how to get access tokens from refresh token? does refresh token expire? 403 error while making Amazon SP API calls despite having LWA access and refresh tokens Trying to issue tokens on testnet with python API - Neblio API showing new Binance Smart Chain Tokens Uploading files to dropbox using python with the access tokens Array of tokens How do I use oauth2 and refresh tokens with the google api?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM