![]() Short-lived access tokens limit the impact of them being leaked or compromised. While this doesn’t matter as much in smaller scale systems where there are few resource servers, it both eases development as systems grow and results in sometimes significant performance gains. When using a refresh token, only the authorization server needs to check for revocation, and the self-contained stateless nature of the short-lived access tokens they generate means that systems which consume them only need to check that they haven’t expired and that their signature is valid. Long-lived access tokens require that all systems that receive the access token need to be constantly checking a central server to see if the token has been revoked. ![]() It simplifies revocation, for much the same reason that digital certificates (as used in HTTPS) are slowly changing to be 90 days by default. Instead, there are a number of incremental improvements that add up towards making it the overall superior design. There isn’t any one huge advantage that immediately stands out in favor of refresh tokens. Resource server: the server(s) which consume and validate access tokens, and grants access to authorized services if valid.Authorization server: the server(s) which consumes refresh tokens and issues access tokens.Refresh token: a long-lived secret token that itself does not grant access to resources, but which instead can be exchanged with an authorization server for a short-lived access token.These can either be long-lived (and potentially never expire), or short-lived, where they might last for only hours to days. Access token: a secret token that clients can exchange with servers to get access to their resources.Why would you want to use long-lived refresh tokens that generate short-lived access tokens as commonly seen in OAuth 2.0, versus long-lived access tokens? Aren’t you simply replacing one long-lived token with another?īefore diving into everything, some vocabulary to clarify: Definitions One question which I frequently receive is:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |