Refresh tokens can potentially improve the situation but also increase complexity. A refresh token is a long lived token that allows requesting new access tokens without having to present the user credentials again. This means that the access token itself could be short lived and whenever the refresh token is used to request a new access token, the contents of that access token can be updated. But with that power, you’ll have more responsibilities. Let’s have a look.
令牌刷新可以解决令牌到期的问题,但也增加了复杂度。一个刷新令牌是一个长寿的令牌,允许请求新的访问令牌而无需再次进行用户认证。这意味着,访问令牌本身可能是短命的且无论何时刷新令牌被用来请求一个新的访问令牌,访问令牌的内容可以被更新。但这样的权利,你也需要更多的责任,我们一起看看。
Refresh tokens must be bound to a client – you typically don’t want that a refresh token from your desktop client can be used from the web client and so on (this is also important for being able to revoke them). That means you need to introduce client authentication (or at least identification). This also means that your client needs an embedded credential (or must use dynamic client registration – but that is out of scope for this post). Depending on the client type this might not be a real secret and shouldn’t be used to base further security decisions on.
刷新令牌必须要绑定到一个客户端上,一般你不希望来自桌面客户端的刷新令牌可以被用在Web客户端上等等。这意味着你的客户端需要嵌入认证信息(或者必须使用动态的客户端注册-这超越了我们本次的范围).根据客户端的类型或许不是一个真正安全且不会被用在更进一步的。。。
This changes how the ValidateClientAuthentication method looks like. We need to validate client credentials, and need to make the client ID available in the pipeline for later processing (unfortunately we need to use the OWIN context for that because of some shortcoming in the current middleware API).