zoukankan      html  css  js  c++  java
  • 为Web Api 2认证服务器增加令牌刷新功能

    Refresh tokens can potentially improve the situation but also increase complexity. A refresh token is a long lived token that allows requesting new access tokens without having to present the user credentials again. This means that the access token itself could be short lived and whenever the refresh token is used to request a new access token, the contents of that access token can be updated. But with that power, you’ll have more responsibilities. Let’s have a look.


    Refresh tokens must be bound to a client – you typically don’t want that a refresh token from your desktop client can be used from the web client and so on (this is also important for being able to revoke them). That means you need to introduce client authentication (or at least identification). This also means that your client needs an embedded credential (or must use dynamic client registration – but that is out of scope for this post). Depending on the client type this might not be a real secret and shouldn’t be used to base further security decisions on.


    This changes how the ValidateClientAuthentication method looks like. We need to validate client credentials, and need to make the client ID available in the pipeline for later processing (unfortunately we need to use the OWIN context for that because of some shortcoming in the current middleware API).

  • 相关阅读:
    Intent 各种跳转 .
    android之Menu 实例与详解
    Andriod: 在xml布局中使用自定义属性
  • 原文地址:https://www.cnblogs.com/kelite/p/3489557.html
Copyright © 2011-2022 走看看