您如何确定在Authorization:Bearer ...中使用的JWT令牌是访问令牌还是刷新令牌。换句话说,是什么阻止用户在授权标头中使用其JWT刷新令牌而不是acces令牌。
[当我在本指南的https://github.com/starkandwayne/ultimate-guide-to-uaa/blob/master/docs/refresh-tokens.md#jwt-refresh-tokens部分中查看访问令牌和刷新令牌的有效负载时,我没有发现任何真正的方法来识别哪个是哪个。
刷新令牌:
{
"jti": "3e53955fcff6429a8a187c4c37f1b592-r",
"sub": "48a8d464-12dd-4b14-b7a0-96af58379ffb",
"scope": [
"openid",
"airports.all"
],
"client_id": "airports",
"cid": "airports",
"user_id": "48a8d464-12dd-4b14-b7a0-96af58379ffb",
"origin": "uaa",
"grant_type": "password",
"user_name": "airports-all",
"rev_sig": "4c3b3810",
"iat": 1530739971,
"exp": 1533331970,
"iss": "https://192.168.50.6:8443/oauth/token",
"zid": "uaa",
"aud": [
"openid",
"airports"
]
}
访问令牌:
{
"jti": "fe39323464d74fb5a6fcb71d89f722c4",
"sub": "48a8d464-12dd-4b14-b7a0-96af58379ffb",
"scope": [
"openid",
"airports.all"
],
"client_id": "airports",
"cid": "airports",
"azp": "airports",
"user_id": "48a8d464-12dd-4b14-b7a0-96af58379ffb",
"origin": "uaa",
"grant_type": "password",
"user_name": "airports-all",
"email": "[email protected]",
"auth_time": 1530739970,
"rev_sig": "4c3b3810",
"iat": 1530739971,
"exp": 1530783171,
"iss": "https://192.168.50.6:8443/oauth/token",
"zid": "uaa",
"aud": [
"openid",
"airports"
]
}
什么是标准?放不同的范围?
如您所发布的链接中所示,建议使用不是JWT的不透明刷新令牌,并且应该使用该配置。
客户端(通常是UI)仅应将访问令牌发送到后端,而任何其他类型的令牌都应被拒绝。正确的配置会强制执行此操作。
后端的工作是验证收到的JWT。如上所述的非标准设置可能意味着它可以与刷新令牌一起使用,但这在两种方式上是不好的: