What benefits refresh tokens in OAuth2

2018-06-16 23:00:14

Based upon The OAuth 2.0 Protocol Refresh Tokens are used to re-authenticate access token and mainly to maintain revoking by saving refresh tokens into Database and control them. What is the benefit of doing this? Why not to save Access Token itself?

Access tokens are short lived they normally only work for 1 hour. In order to get a new access token you use the refresh token.

Page 24

Authorization servers SHOULD issue access tokens with a limited
   lifetime and require clients to refresh them by requesting a new
   access token using the same assertion if it is still valid.
   Otherwise the client MUST obtain a new valid assertion.

By sending a refresh token and requesting a new access token this gives the authentication server a chance to verify that you still have access and the user has not revoked your access.

Answering why below:

The reason access tokens are short lived is that if they are compromised the attacker has a limited amount of time to use it. It will normally expire within an hour.

If the refresh token is compromised it is useless because the hacker doesn't have access to the client id which must be sent to the authentication server at the same time to get a new access token.

see Why Does OAuth v2 Have Both Access and Refresh Tokens? for an extended answer that includes the revocation considerations

链接地址: http://www.djcxy.com/p/47958.html

上一篇: MVC 5，Identity 2.0 Android Rest / Json Api

下一篇: 在OAuth2中刷新令牌有什么好处