OAuth 2.0授權架構中文版 [6] - 通路令牌的重新整理
- 通路令牌的重新整理 - Refreshing an Access Token
通路令牌的重新整理 - Refreshing an Access Token
如果授權伺服器有簽發重新整理令牌給用戶端,那用戶端可以如附錄B中的描述通過"application/x-www-form-urlencoded"格式組織如下參數,并使用UTF-8進行編碼後放入HTTP請求體。将請求發送至token端點以重新整理通路令牌:
grant_type
必須。值必須為"refresh_token"。
refresh_token
必須。簽發給用戶端的重新整理令牌。
scope
可選。章節3.3中描述的請求授權的範圍,scope的值不能包括最初資源所有者未授權的值,如果忽略該參數,則視為與資源所有者最初授權的值相同。
If the authorization server issued a refresh token to the client, the
client makes a refresh request to the token endpoint by adding the
following parameters using the “application/x-www-form-urlencoded”
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:
grant_type
REQUIRED. Value MUST be set to “refresh_token”.
refresh_token
REQUIRED. The refresh token issued to the client.
scope
OPTIONAL. The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope
not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the
resource owner.
由于重新整理令牌是用于請求額外通路令牌的長時效令牌,是以重新整理令牌需要跟用戶端做綁定。如果用戶端類型是非公開用戶端或者簽發過用戶端憑證(或其它認證方式),則授權伺服器必須如章節3.2.1所述對用戶端身份進行校驗。
Because refresh tokens are typically long-lasting credentials used to
request additional access tokens, the refresh token is bound to the
client to which it was issued. If the client type is confidential or
the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1.
比如,用戶端通過TLS發起如下HTTP請求:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
For example, the client makes the following HTTP request using
transport-layer security (with extra line breaks for display purposes
only):
POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
授權伺服器必須:
- 驗證非公開用戶端或其它簽發過用戶端憑證(或其它認證方式)的用戶端的身份。
- 若包含用戶端認證資訊,則進行校驗,并且確定重新整理令牌是簽發給目前認證過的用戶端,并且
- 驗證重新整理令牌的有效性。
The authorization server MUST:
o require client authentication for confidential clients or for any
client that was issued client credentials (or with other
authentication requirements),
o authenticate the client if client authentication is included and
ensure that the refresh token was issued to the authenticated
client, and
o validate the refresh token.
如果驗證且授權通過,則授權伺服器按5.1所述簽發通路令牌,如果驗證失敗或無效,則如5.2所述傳回錯誤響應。
If valid and authorized, the authorization server issues an access
token as described in Section 5.1. If the request failed
verification or is invalid, the authorization server returns an error
response as described in Section 5.2.
授權伺服器可能會簽發一個新的通路令牌,這時用戶端需要丢棄原有的重新整理令牌并用新的替換它,授權伺服器在簽發新的重新整理令牌後,可能會吊銷掉老的重新整理令牌。如果簽發新的重新整理令牌,那該重新整理令牌的授權範圍必須與請求中攜帶的重新整理令牌保持一緻。
The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token. The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client. If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request.