登录 Auth0 时:
POST https://my.auth0.com/oauth/ro
{
"client_id": "<client-id>",
"username": "me@gmail.com",
"password": "••••••••",
"connection": "<auth0-connection>",
"grant_type": "password",
"scope": "openid offline_access jti email",
"device": "<device-id>"
}
// Response
{
"refresh_token": "<refresh-token>",
"id_token": "<id-token>",
"access_token": "<access-token>",
"token_type": "bearer"
}
// id_token JWT payload
{
"jti": "3d4c5e97-3543-4c53-b46e-3aa965cd5a34",
"email": "me@gmail.com",
"email_verified": false,
"iss": "https://my.auth0.com/",
"sub": "auth0|<id>",
"aud": "<aud>",
"exp": 1481766419,
"iat": 1481730461
}
如果我jti
在我的范围内指定,返回id_token
的 JWT 将包含一个jti
. Auth0jti
建议使用 JWT。jti
s 唯一标识 JWT,可用于将 JWT 列入黑名单之类的事情。
但是,由于某种原因,如果我尝试id_token
使用刷新令牌获取新令牌:
POST https://my.auth0.com/delegation
{
"client_id": "<client-id>",
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"refresh_token": "<refresh-token>",
"api_type": "app",
"scope": "openid offline_access jti email",
"device": "<device-id>"
}
// Response
{
"token_type": "Bearer",
"expires_in": 35958,
"id_token": "<id-token>"
}
// id_token JWT payload
{
"email": "me@gmail.com",
"email_verified": false,
"iss": "https://my.auth0.com/",
"sub": "auth0|<id>",
"aud": "<aud>",
"exp": 1481766678,
"iat": 1481730720,
"azp": "<azp>"
}
即使我jti
在我的范围内指定,id_token
返回的也不包含jti
.
这是一个错误吗?请帮忙。