了解 Laravel 护照刷新令牌
Understanding Laravel Passport refresh token
我正在尝试了解如何通过电子邮件和密码使用 Laravel Passport。
我知道我不应该在客户端存储 client_id & client_secret。
我写了自己的登录名,它按预期工作,在 return 中,我获得了访问令牌,但我想不出一种方法来刷新此令牌 而无需 存储 client_id & client_secret 在客户端。
或者没有 client_id & client_secret 就无法刷新访问令牌?
也已阅读 但我没有明确的答案如何以及是否可以刷新令牌。
感谢您的帮助!
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
Typically, refresh tokens are only used with confidential clients.
However, since it is possible to use the authorization code flow
without a client secret, the refresh grant may also be used by clients
that don’t have a secret. If the client was issued a secret, then the
client must authenticate this request. Typically the service will
allow either additional request parameters client_id and
client_secret, or accept the client ID and secret in the HTTP Basic
auth header. If the client does not have a secret, then no client
authentication will be present in this request.
这意味着刷新令牌可能不是不应存储凭据的客户端应用程序的正确选择。
我正在尝试了解如何通过电子邮件和密码使用 Laravel Passport。
我知道我不应该在客户端存储 client_id & client_secret。 我写了自己的登录名,它按预期工作,在 return 中,我获得了访问令牌,但我想不出一种方法来刷新此令牌 而无需 存储 client_id & client_secret 在客户端。 或者没有 client_id & client_secret 就无法刷新访问令牌?
也已阅读
感谢您的帮助!
https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
Typically, refresh tokens are only used with confidential clients. However, since it is possible to use the authorization code flow without a client secret, the refresh grant may also be used by clients that don’t have a secret. If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header. If the client does not have a secret, then no client authentication will be present in this request.
这意味着刷新令牌可能不是不应存储凭据的客户端应用程序的正确选择。