OAuth 2.0授權架構中文版 [6] - 通路令牌的重新整理

• 通路令牌的重新整理 - Refreshing an Access Token

通路令牌的重新整理 - Refreshing an Access Token

如果授權伺服器有簽發重新整理令牌給用戶端，那用戶端可以如附錄B中的描述通過"application/x-www-form-urlencoded"格式組織如下參數，并使用UTF-8進行編碼後放入HTTP請求體。将請求發送至token端點以重新整理通路令牌：

grant_type
    必須。值必須為"refresh_token"。

refresh_token
    必須。簽發給用戶端的重新整理令牌。

scope
    可選。章節3.3中描述的請求授權的範圍，scope的值不能包括最初資源所有者未授權的值，如果忽略該參數，則視為與資源所有者最初授權的值相同。
           

If the authorization server issued a refresh token to the client, the

client makes a refresh request to the token endpoint by adding the

following parameters using the “application/x-www-form-urlencoded”

format per Appendix B with a character encoding of UTF-8 in the HTTP

request entity-body:

grant_type

REQUIRED. Value MUST be set to “refresh_token”.

refresh_token

REQUIRED. The refresh token issued to the client.

scope

OPTIONAL. The scope of the access request as described by

Section 3.3. The requested scope MUST NOT include any scope

not originally granted by the resource owner, and if omitted is

treated as equal to the scope originally granted by the

resource owner.

由于重新整理令牌是用于請求額外通路令牌的長時效令牌，是以重新整理令牌需要跟用戶端做綁定。如果用戶端類型是非公開用戶端或者簽發過用戶端憑證（或其它認證方式），則授權伺服器必須如章節3.2.1所述對用戶端身份進行校驗。

Because refresh tokens are typically long-lasting credentials used to

request additional access tokens, the refresh token is bound to the

client to which it was issued. If the client type is confidential or

the client was issued client credentials (or assigned other

authentication requirements), the client MUST authenticate with the

authorization server as described in Section 3.2.1.

比如，用戶端通過TLS發起如下HTTP請求：

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
           

For example, the client makes the following HTTP request using

transport-layer security (with extra line breaks for display purposes

only):

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
           

授權伺服器必須：

• 驗證非公開用戶端或其它簽發過用戶端憑證（或其它認證方式）的用戶端的身份。
• 若包含用戶端認證資訊，則進行校驗，并且確定重新整理令牌是簽發給目前認證過的用戶端，并且
• 驗證重新整理令牌的有效性。

The authorization server MUST:

o require client authentication for confidential clients or for any

client that was issued client credentials (or with other

authentication requirements),

o authenticate the client if client authentication is included and

ensure that the refresh token was issued to the authenticated

client, and

o validate the refresh token.

如果驗證且授權通過，則授權伺服器按5.1所述簽發通路令牌，如果驗證失敗或無效，則如5.2所述傳回錯誤響應。

If valid and authorized, the authorization server issues an access

token as described in Section 5.1. If the request failed

verification or is invalid, the authorization server returns an error

response as described in Section 5.2.

授權伺服器可能會簽發一個新的通路令牌，這時用戶端需要丢棄原有的重新整理令牌并用新的替換它，授權伺服器在簽發新的重新整理令牌後，可能會吊銷掉老的重新整理令牌。如果簽發新的重新整理令牌，那該重新整理令牌的授權範圍必須與請求中攜帶的重新整理令牌保持一緻。

The authorization server MAY issue a new refresh token, in which case

the client MUST discard the old refresh token and replace it with the

new refresh token. The authorization server MAY revoke the old

refresh token after issuing a new refresh token to the client. If a

new refresh token is issued, the refresh token scope MUST be

identical to that of the refresh token included by the client in the

request.