Using Refesh Token in Token-based Authentication is secured?

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-06 05:54:08

问题


I am building a token based authentication (Node.js using passport/JWT with an angular client).

After the user enter his credentials he gets an access token, which he sends in every request inside the header (header: bearer TOKEN).

I don't want to prompt a login request everytime his access token expires (about everyday I guess), I've heard about the Refresh Tokens. The refresh token never expires (or rarely expires) and able to renew tokens indefinitely.When the access token is about to expire, the client can send a renew request to get a new access token by sending his refresh token.

I don't understand few things, I might be missing something:

  1. How a long-living/never expiring refresh tokens don't ruin the security of having short-living access tokens.

  2. Cookies can be stole and be used until they expire. Tokens are short living so they more secured, but if I provide a long-living refresh token I lose the advantage of using tokens.

NOTE: I am aware that the refresh tokens are sent at the initial login, so cann't be spoofed in every request, but if they are spoofed at the initial request they are vulnerable.


回答1:


The refresh token is presented on a different path than the access token: the access token is only ever presented to the Resource Server, the refresh token is only ever presented to the Authorization Server. The access token can be self-contained so that it does not need costly calls to the Authorization Server to check its validity, but to mitigate loss and to increase accuracy (it cannot be revoked in case something goes wrong) it is short-lived. The refresh token is long lived and gets validated on each call to the Authorization Server and as such it can be revoked. The combination of the two makes the system secure.



来源:https://stackoverflow.com/questions/27359104/using-refesh-token-in-token-based-authentication-is-secured

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!