登录查看更多内容

全部
OAuth

How do you use refresh tokens with different types of OAuth 2.0 clients and scopes?

由人工智能和领英社区提供技术支持

Refresh tokens are a way to obtain new access tokens without requiring the user to authenticate again. They are useful for long-lived applications that need to access protected resources on behalf of the user. However, not all OAuth 2.0 clients and scopes can use refresh tokens. In this article, you will learn how to use refresh tokens with different types of OAuth 2.0 clients and scopes, and what are the benefits and risks involved.

此文章中的业界达人

由社区从 7 条内容中精选。了解更多

1 Authorization Code Flow

The authorization code flow is the most common and secure way to obtain access and refresh tokens from an authorization server, making it suitable for web applications that can securely store the client credentials and communicate with the server via back-end channels. This process involves four steps: the client redirects the user to the authorization server, requests an authorization code with the desired scope and a refresh token, user authenticates and consents to the scope, and the server returns an authorization code to the client via a redirect URI. Then, the client exchanges the authorization code for an access token and a refresh token using its credentials and code. Finally, the client uses the access token to access the protected resources until it expires, and then uses the refresh token to request a new access token.

添加您的观点

2 Implicit Flow

The implicit flow is a simplified version of the authorization code flow which does not require the client to exchange an authorization code for an access token. This flow is suitable for single-page applications or mobile apps which cannot store the client credentials or use back-end channels. It consists of two steps: first, the client redirects the user to the authorization server and requests an access token with the desired scope; second, after the user authenticates and consents to the scope, the server returns an access token to the client via a redirect URI. However, this flow does not support refresh tokens as it would expose them to the browser or app, which are not secure environments. As a result, the client must either rely on the access token lifetime or prompt the user to authenticate again when the token expires.

添加您的观点

Anderson Luiz Mendes Matos

Google Certified Professional Cloud Architect | Google Certified Associate Cloud Engineer | Senior Principal Software Engineer | .NET | Microservices | AWS | IAM | OAuth2 | OpenID | SAML | FIDO
举报内容
The Implicit flow, however, is not recommended anymore as it leads to tokens potentially being exposed to unconfirmed callers, leading to token exposure to malicious users and applications, which in time can use those to perform actions without the user knowledge. To replace this a new extension was created for the Authorization Code flow called PKCE (Proof Key for Code Exchange) which mitigates that vulnerability and creates a secure flow for client-side applications like Single-page applications and pure JavaScript based applications.

已翻译

赞
Greg Rice

Experienced IAM and ML Platform Developer, DevOps Engineer and Architect (Python, Scala, Kotlin, Java, Golang) extravert who loves bringing diverse, inclusive teams together to turn ideas into scalable web services
举报内容
As mentioned by Anderson Luiz, this implicit flow requires a client secret which much be carefully guarded. Doing so outside of AWS SecretsManager/HashiCorp vault can be very risky, as any engineer, even in Infra, who every gets to see a client secret is now a point of exposure.

已翻译

赞

3 Resource Owner Password Credentials Flow

The resource owner password credentials flow is a way to obtain access and refresh tokens by directly sending the user's username and password to the authorization server. It is suitable for trusted applications that have a high degree of control over the user's credentials, such as legacy systems or native apps. The flow involves one step:

- The client sends the user's username and password, along with its credentials and the desired scope, to the authorization server and requests an access token and a refresh token.

The client uses the access token to access the protected resources until it expires, and then uses the refresh token to request a new access token. This flow is less secure than the other flows, because it requires the user to share their credentials with the client, and it bypasses the user's consent.

添加您的观点

Anderson Luiz Mendes Matos

Google Certified Professional Cloud Architect | Google Certified Associate Cloud Engineer | Senior Principal Software Engineer | .NET | Microservices | AWS | IAM | OAuth2 | OpenID | SAML | FIDO
举报内容
The security aspect of this flow is debatable. It has been said that there are no design flaws if you're considering a trusted application is being used for this. However, there is one key important thing: impersonation. By providing the application with your credentials like that, the application impersonates your user. It's later impossible to distinguish between what was done by your request (through your direct interaction) or by the underlying application. That, yes, can be extrapolated into the security aspect of this flow, as it creates this hard to track scenario. An important element on this flow is that it is extremely useful to provide OAuth and OpenID support for legacy applications that have no other integration options.

已翻译

赞
Greg Rice

Experienced IAM and ML Platform Developer, DevOps Engineer and Architect (Python, Scala, Kotlin, Java, Golang) extravert who loves bringing diverse, inclusive teams together to turn ideas into scalable web services
举报内容
As mentioned by Anderson Luiz Mendes Matos, there are no trusted applications. Every engineer has his price, and providing a castle-and-moat model where a service owned by you or your company receives an actual password puts your company in an unfortunate position of being liable for any data breaches. Instead, by using a third-party for AuthN, we can provide tokens that are passed along between involved microservices, each with their own scopes and aud claim, which will provide a way for the service receiving an overprivileged token sent to an unintended service has a chance to be rejected.

已翻译

赞

4 Client Credentials Flow

The client credentials flow is a way to obtain access tokens by using only the client's credentials, without involving the user. It is suitable for server-to-server applications that need to access protected resources that belong to the client itself, such as APIs or microservices. The flow involves one step:

- The client sends its credentials and the desired scope to the authorization server and requests an access token.

The client uses the access token to access the protected resources until it expires. The client credentials flow does not support refresh tokens, because there is no user involved in the process. Therefore, the client has to request a new access token when the previous one expires.

添加您的观点

5 Benefits and Risks of Refresh Tokens

Refresh tokens offer several advantages for OAuth 2.0 clients and users, such as reducing the frequency of user authentication, allowing the client to maintain long-lived sessions with the protected resources, and enabling the client to request different scopes for different access tokens. However, there are some risks to consider—such as increasing the attack surface, requiring more storage and management, and introducing more complexity and potential errors. As a result, refresh tokens should be used with care and only when necessary, adhering to best practices and recommendations of the OAuth 2.0 specification.

添加您的观点

Anderson Luiz Mendes Matos

Google Certified Professional Cloud Architect | Google Certified Associate Cloud Engineer | Senior Principal Software Engineer | .NET | Microservices | AWS | IAM | OAuth2 | OpenID | SAML | FIDO
(已编辑)
举报内容
To mitigate inherent risks related to the refresh token use, the Silent Renewal was designed as a way to avoid having to rely on refresh tokens for continuous access token renewal when using the Authorization Code Flow. It is quite similar to the regular authorization flow but instead of happening on the top-level navigation (redirecting the user) it happens on a hidden page element, with no interface disruption. The authorization request also carries a new parameter: the prompt. The "prompt=none" the caller instructs the identity provider to not render any login interface and to reply with either a simplified error or just the new authorization code immediately, which can be used by the caller to obtain a new access token.

已翻译

赞
Greg Rice

Experienced IAM and ML Platform Developer, DevOps Engineer and Architect (Python, Scala, Kotlin, Java, Golang) extravert who loves bringing diverse, inclusive teams together to turn ideas into scalable web services
举报内容
This may be a good reason to use something that has variable-duration refresh tokens, with more complex rules for when they're invalidated, and very low-TTL access tokens. Check out how Okta does it, but you could host this yourself with something like a custom CloudFoundry UAA and a little home-grown EventBus usage, but that's all in the AWS ecosystem.

已翻译

赞

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Anderson Luiz Mendes Matos

Google Certified Professional Cloud Architect | Google Certified Associate Cloud Engineer | Senior Principal Software Engineer | .NET | Microservices | AWS | IAM | OAuth2 | OpenID | SAML | FIDO
(已编辑)
举报内容
From experience, my recommendation on this would be to leverage Authorization Code PKCE (RFC 7636) for all front-end based applications, whether they be client-side only or hybrid applications, and to leverage Client Credentials with Assertion (RFCs 7521 and 7523) for service to service communication. This helps ensure a secure environment, mitigate all major risks and avoid unnecessarily exposing your identity provider or APIs to token exfiltration or malicious entities. Also, by design, from experience and to avoid unnecessary exposure, I'd suggest disabling other flows, including Password and Implicit, as well as avoiding clients to use obtain and use refresh tokens.

已翻译

赞

OAuth

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How do you use refresh tokens with different types of OAuth 2.0 clients and scopes?

1

2

3

4

5

6

1 Authorization Code Flow

2 Implicit Flow

3 Resource Owner Password Credentials Flow

4 Client Credentials Flow

5 Benefits and Risks of Refresh Tokens

6 Here’s what else to consider

OAuth

给文章评分

感谢您的反馈

更多OAuth相关文章

更多相关阅读内容