Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

access_token、refresh_token的原理与实现 #298

Open
hehongwei44 opened this issue Dec 19, 2018 · 4 comments
Labels

Comments

@hehongwei44
Copy link
Owner

@hehongwei44 hehongwei44 commented Dec 19, 2018

发的用户认证token超时刷新策略 :https://segmentfault.com/a/1190000014545422

@hehongwei44 hehongwei44 added the JAVA label Dec 19, 2018
@hehongwei44

This comment has been minimized.

Copy link
Owner Author

@hehongwei44 hehongwei44 commented Dec 19, 2018

解决使用jwt刷新token带来的问题:https://segmentfault.com/a/1190000013151506

@hehongwei44 hehongwei44 changed the title JWT的token与refreshToken策略 ccess_token refresh_token的原理与实现 Dec 20, 2018
@hehongwei44 hehongwei44 changed the title ccess_token refresh_token的原理与实现 access_token、refresh_token的原理与实现 Dec 20, 2018
@hehongwei44

This comment has been minimized.

Copy link
Owner Author

@hehongwei44 hehongwei44 commented Dec 20, 2018

Token refresh的实现:https://www.cnblogs.com/wqtmelo/p/8527148.html

在access_token里加入refresh_token标识,给access_token设置短时间的期限(例如一天),给refresh_token设置长时间的期限(例如七天)。当活动用户(拥有access_token)发起request时,在权限验证里,对于requeset的header包含的access_token、refresh_token分别进行验证:

1、access_token没过期,即通过权限验证;

2、access_token过期,refresh_token没过期,则返回权限验证失败,并在返回的response的header中加入标识状态的key,在request方法的catch中通过webException来获取标识的key,获取新的token(包含新的access_token和refresh_token),再次发起请求,并返回给客户端请求结果以及新的token,再在客户端更新公共静态token模型;

3、access_token过期,refresh_token过期即权限验证失败。

@hehongwei44

This comment has been minimized.

Copy link
Owner Author

@hehongwei44 hehongwei44 commented Dec 20, 2018

总结:

前端:前端只接受access_token,如果值存在,则覆盖原理的access_token,没有的话则不做其他操作

后端:

  1. access_token没过期,请求放行
  2. access_token过期了,但是refresh_token没过期的话,access_token取新的值,refresh_token是否取新的值看业务需求,加入要实现refresh_token一周后失效,则不改变,否则,取新的值。
  3. access_token和refresh_token都失效的话,那么都取新的值。

存储:前端存在cookie或者localstorge,后端存数据库或者缓存比如redis

@hehongwei44

This comment has been minimized.

Copy link
Owner Author

@hehongwei44 hehongwei44 commented Dec 20, 2018

access_token、refresh_token介绍:https://www.jianshu.com/p/8a0e74b60efe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.