我已阅读 PODIO documentation .我特别考虑了以下关于使用 refresh_token 的声明。 :
This request returns the same data as above, and you can continue to do this over and over again, to keep your application authenticated without having to ask the user to re-authenticate.
这是否意味着
refresh_token将无限期有效还是过期:access_token 编辑:请看这个PODIO Thread它提出了同样的问题,但似乎没有给出关于 Oauth2.0 协议(protocol)的 PODIO 实现的任何结论性答案。
最佳答案
你的问题的答案:
Does this mean that the refresh_token will be indefinitely valid or does it expire?
...可以从 section 1.5 中得出结论和 section 10.4 OAuth 2.0 规范。
第 1.5 节 refresh_token 状态介绍:
Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner)
第 10.4 节 refresh_token 状态的安全注意事项:
The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.
For example, the authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token, which will inform the authorization server of the breach.
可以得出结论,如果授权服务器能够验证
refresh_token 之间的绑定(bind)。以及当时收到它的客户refresh_token可用于获取多个access_token并且永远不会过期。否则授权服务器将使旧的 refresh_token 失效。并生成新的refresh_token每个访问 token 刷新响应。
关于oauth-2.0 - 刷新 token 是否过期,如果过期,何时过期?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40555855/