-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
关于文档内SSO实现refreshToken的安全性问题 #614
Comments
安全性没验证过。不过token过期拿userid我做过类似需求。 |
很有参考价值,谢谢 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
对以下问题有疑问:
在文档内建议使用“临时 token 认证模块”去处理refreshToken的问题,文档内的具体代码如下:
但是这里貌似有个问题,就是用户传入的refreshToken可能是扒的其他用户的refreshToken,这样的话他就可以直接以对方账号的身份去续签这个accessToken,这样对于安全性来说似乎是很致命的
我尝试在accessToken的方法中去校验原有accessToken与refreshToken包含的userId是否一致来避免这个问题,但是在accessToken过期后,我似乎无法通过StpUtil内的方法去获取userId
请问有什么方法可以使我获取到已过期的accessToken的userId吗?或者说还有什么更完美的方案我没有想到,抑或是纯靠Sa-token无法实现,还请大佬不吝赐教
The text was updated successfully, but these errors were encountered: