1
1130335361 2020-05-31 20:38:54 +08:00
|
2
hellomsg 2020-07-30 12:05:20 +08:00
jwt 有过期时间。对 Oath 不是很深入了解,个人认为苹果设计的这些验证步骤是为了检测 jwt 是否是伪造的或是被篡改了,是 app 业务方做的安全检测,最终目的是为了减少虚假注册?
|
3
hellomsg 2020-07-30 12:11:37 +08:00
我还有个疑问,苹果的 `refreshToken` 和 `access tokens` 是干嘛用的?文中说“which you use to obtain access tokens with future calls”,但是他也没有提供其他接口需要这个 `access tokens` 用来获取用户信息。
> Obtain a Refresh Token After verifying the identity token on your server, call the Generate and Validate Tokens endpoint with the client_id, client_secret, and nonce information. On success, the server issues a refresh token, which you use to obtain access tokens with future calls. You may verify the refresh token up to once a day to confirm that the user’s Apple ID on that device is still in good standing with Apple’s servers. Apple’s servers may throttle your call if you attempt to verify a user’s Apple ID more than once a day. If any step of the token verification fails, direct your app to fetch a new identity token for the user. Obtaining a new identity token on the device requires user interaction. |
4
hellomsg 2020-07-30 12:22:17 +08:00
这个漏洞是在说 email 用户可以随便写会有安全隐患吗?但是对于一个可以随便写的 email,app 方会使用这个邮箱来创建帐号,并允许使用这个邮箱登录?
|