| 摘 要: 就前后端分离的软件开发模式而言,保护后端数据接口不被非法调用是十分重要的。令牌作为获取保护资源的凭证,需要提供过期时间,否则认证功能就失去了意义。针对活跃用户,需要在有效时间内提供自动登录功能,可以提升使用体验。本文研究了OAuth(Open Authorization,一种开放的授权标准)的认证机制,并在ASP.NET Web API框架基础上,实现身份认证方案,当访问令牌过期后,增加令牌刷新机制,既能够改善用户体验,也能够有效保护数据接口。该方案具有通用性,适用于前后端分离的软件开发。通过测试,表明了该方案具有有效性和可行性。 |
| 关键词: OAuth;身份验证和授权;前后端分离;刷新 |
|
中图分类号: TP311.11
文献标识码: A
|
|
| Research and Practice of Improving Token Authentication Scheme |
|
HU Xianyu
|
(Dalian Neusoft University of Information, Dalian 116023, China)
huxianyu@neusoft.edu.cn
|
| Abstract: For software development model that separates front and back ends, it is very important to protect backend data interface from being illegally invoked. The token, as a voucher for obtaining protected resources, needs to provide an expiration time, otherwise authentication function will lose its meaning. For active users, automatic login function needs to be provided within valid time to improve user experience. This paper proposes to implement an identity authentication scheme based on the ASP.NET Web API framework after studying an authentication mechanism of OAuth (Open Authorization, an open authorization standard). When the access token expires, token refresh mechanism is added, which can not only improve user experience, but also effectively protect data interfaces. The proposed scheme is versatile and suitable for software development with separation of front and back ends. Tests show its effectiveness and feasibility. |
| Keywords: OAuth; authentication and authorization; separation of front and back ends; refresh |
