问题:
Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token , which is used purely to create a new access_token : OAuth 2.0协议草案的4.2节指出授权服务器可以返回access_token (用于向资源验证自己)以及refresh_token ,它仅用于创建新的access_token :
https://tools.ietf.org/html/rfc6749#section-4.2 https://tools.ietf.org/html/rfc6749#section-4.2
Why have both? 为什么两者都有? Why not just make the access_token last as long as the refresh_token and not have a refresh_token ? 为什么不将access_token设为refresh_token并且没有refresh_token ?
解决方案:
参考一: https://stackoom.com/question/EdNv/为什么OAuth-v-同时具有访问权限和刷新令牌参考二: https://oldbug.net/q/EdNv/Why-Does-OAuth-v2-Have-Both-Access-and-Refresh-Tokens
来源:oschina
链接:https://my.oschina.net/u/4432649/blog/4405865