OAuth 2.0授权框架中文版 [6] - 访问令牌的刷新

• 访问令牌的刷新 - Refreshing an Access Token

访问令牌的刷新 - Refreshing an Access Token

如果授权服务器有签发刷新令牌给客户端，那客户端可以如附录B中的描述通过"application/x-www-form-urlencoded"格式组织如下参数，并使用UTF-8进行编码后放入HTTP请求体。将请求发送至token端点以刷新访问令牌：

grant_type
    必须。值必须为"refresh_token"。

refresh_token
    必须。签发给客户端的刷新令牌。

scope
    可选。章节3.3中描述的请求授权的范围，scope的值不能包括最初资源所有者未授权的值，如果忽略该参数，则视为与资源所有者最初授权的值相同。
           

If the authorization server issued a refresh token to the client, the

client makes a refresh request to the token endpoint by adding the

following parameters using the “application/x-www-form-urlencoded”

format per Appendix B with a character encoding of UTF-8 in the HTTP

request entity-body:

grant_type

REQUIRED. Value MUST be set to “refresh_token”.

refresh_token

REQUIRED. The refresh token issued to the client.

scope

OPTIONAL. The scope of the access request as described by

Section 3.3. The requested scope MUST NOT include any scope

not originally granted by the resource owner, and if omitted is

treated as equal to the scope originally granted by the

resource owner.

由于刷新令牌是用于请求额外访问令牌的长时效令牌，因此刷新令牌需要跟客户端做绑定。如果客户端类型是非公开客户端或者签发过客户端凭证（或其它认证方式），则授权服务器必须如章节3.2.1所述对客户端身份进行校验。

Because refresh tokens are typically long-lasting credentials used to

request additional access tokens, the refresh token is bound to the

client to which it was issued. If the client type is confidential or

the client was issued client credentials (or assigned other

authentication requirements), the client MUST authenticate with the

authorization server as described in Section 3.2.1.

比如，客户端通过TLS发起如下HTTP请求：

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
           

For example, the client makes the following HTTP request using

transport-layer security (with extra line breaks for display purposes

only):

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
           

授权服务器必须：

• 验证非公开客户端或其它签发过客户端凭证（或其它认证方式）的客户端的身份。
• 若包含客户端认证信息，则进行校验，并且确保刷新令牌是签发给当前认证过的客户端，并且
• 验证刷新令牌的有效性。

The authorization server MUST:

o require client authentication for confidential clients or for any

client that was issued client credentials (or with other

authentication requirements),

o authenticate the client if client authentication is included and

ensure that the refresh token was issued to the authenticated

client, and

o validate the refresh token.

如果验证且授权通过，则授权服务器按5.1所述签发访问令牌，如果验证失败或无效，则如5.2所述返回错误响应。

If valid and authorized, the authorization server issues an access

token as described in Section 5.1. If the request failed

verification or is invalid, the authorization server returns an error

response as described in Section 5.2.

授权服务器可能会签发一个新的访问令牌，这时客户端需要丢弃原有的刷新令牌并用新的替换它，授权服务器在签发新的刷新令牌后，可能会吊销掉老的刷新令牌。如果签发新的刷新令牌，那该刷新令牌的授权范围必须与请求中携带的刷新令牌保持一致。

The authorization server MAY issue a new refresh token, in which case

the client MUST discard the old refresh token and replace it with the

new refresh token. The authorization server MAY revoke the old

refresh token after issuing a new refresh token to the client. If a

new refresh token is issued, the refresh token scope MUST be

identical to that of the refresh token included by the client in the

request.