OAuth2 Refresh Token. How to store it on client-si

2019-05-04 05:33发布

问题:

There is Authorization OAuth2 Server to get access+refresh token. As far as i understand, access token can be stored on client-side, because it has short live circle. But can refresh token be stored there? According information that I've read, there is no secure way to do it(here)

So, I have to implement separate server-side service, just to store refresh token.

Am I right? Is it only one possible way to store refresh token?

P.S. Client-side: angularJS

回答1:

Yes you are right. If you cannot authenticate with the Authorisation server (i.e. pass client ID and secret) then you will only get a short-lived access token.

As Angular code is on the client it would be insecure for it to hold your client secret. Therefore you can not pass your client secret to the Auth server, so you can not authenticate.

Also your server code would not just store a token, it would be expected to host an endpoint which would accept an auth code and then call the Auth server with that code (and your client credentials) to get a token and refresh token.

The auth code would be supplied to your server endpoint via a call from the auth server via an http redirect following successful user login and user granting access to your app.