具有相同凭证和多个会话的 Oauth
我正在开发一个电子商务网站和一个应用程序。我们使用 SAP Hybris for OAuth 2.0。 为了获取访问令牌,我将客户端 ID、客户端密钥、用户名和密码发送到身份验证服务器。
问题示例:
如果我先使用应用程序登录,然后再登录网站,我将无法在其中一个会话中刷新我的令牌。
我从服务器收到的令牌非常标准,如下所示:
{
"access_token":"9T7IziRSIM_QIqFtttM8rhf83zU",
"token_type":"bearer",
"refresh_token":"MztkOmh67gIEiMwX5sED-Rug51c",
"expires_in":43199,
"scope":"basic"
}
唯一的区别是,在“网站令牌”中,expires_in 的值将低于 43199,因为它是在“应用程序令牌”之后请求的。
由于 access_token 和 refresh_token 都是相同的,一旦其中一个过期,我们就会尝试在第一个会话中获取新令牌它会收到完全不同的凭据吗?一旦第二个会话(现已过期)尝试刷新其凭据,服务器将拒绝新凭据,因为旧凭据只能使用一次来获取新令牌。
每 12 小时,令牌就会过期,第一个请求新令牌的客户端会通过这样做有效地注销另一个客户端。
问题:
我可以采取什么措施来解决这个问题?
我认为应该可以向我的请求发送一个唯一的 ID 以生成一个唯一的令牌。但是我在 SAP Docs 上找不到任何关于此的信息。
I am working on an eCommerce Website and an App. We use SAP Hybris for OAuth 2.0.
To get an access token I send a Cliend ID, Client secret, Username and Password to the auth server.
Problem Example:
If I log in with the App first and then the Website, I won't be able to refresh my token in one of the sessions.
The token I receive from the server is pretty standard and looks like this:
{
"access_token":"9T7IziRSIM_QIqFtttM8rhf83zU",
"token_type":"bearer",
"refresh_token":"MztkOmh67gIEiMwX5sED-Rug51c",
"expires_in":43199,
"scope":"basic"
}
The only difference is that in the "Website Token" the expires_in would have a lower value than 43199 since it was requested after the "App Token".
Since both the access_token as well as the refresh_token are identical, the moment one of them expire and we try to fetch a new token the first session that does it will receive completely different credentials. As soon as the second session (which is now expired) tries to also refresh it's credentials the server will deny new credentials since the old credentials can be used only once to get new tokens.
Every 12 hours the tokens become expired and the first client to request a new token effectively logs out the other client by doing so.
Question:
What could I do to deal with this problem?
I was thinking it should be possible to send a unique ID to my request to generate a unique token. However I cannot find any information about this on the SAP Docs.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论