Closed taxio closed 5 years ago
taxio
commented
5 years ago Refresh Tokenをどう使うか?
tokenの生成方法はjwtと同じ? それをどうセキュアに扱うかはフロントの実装依存??
taxio
commented
5 years ago 次回 #12
taxio
commented
5 years ago https://auth0.com/learn/refresh-tokens/
Refresh Tokens are long-lived. This means when a client gets one from a server, this token must be stored securely to keep it from being used by potential attackers, for this reason, it is not safe to store them in the browser. If a Refresh Token is leaked, it may be used to obtain new Access Tokens (and access protected resources) until it is blacklisted. Refresh Tokens must be issued to a single authenticated client to prevent the use of leaked tokens by other parties. Access Tokens must also be kept secret, but due to its shorter life, security considerations are less critical.
やっぱりセキュアにするためにRefresh Tokenの生成アルゴリズムを変えるみたいなことは書いてないな... いかにTokenを守るかって感じ.
taxio
commented
5 years ago Auth0が提供してるIDaaSのRefresh Token. https://auth0.com/docs/tokens/refresh-token/current
あとで読む
前回 #10