Snowflake OAuth 安全集成的一次性刷新令牌

This topic describes how to enable single-use refresh tokens for Snowflake OAuth security integrations.

一次性刷新令牌是一项可启用的功能,可防止被盗的刷新令牌在 Snowflake 账户中重复使用。当您启用一次性刷新令牌时,刷新令牌授予流程的行为会发生以下变化:

  • 在刷新令牌有效的 90 天内,您只能使用一次刷新令牌。
  • 使用刷新令牌后,刷新令牌将失效。
  • The refresh token grant flow returns a new refresh token and a new access token, instead of only a new access token. The new refresh token will have the same expiration time as specified by OAUTH_REFRESH_TOKEN_VALIDITY when the integration was created (or the default system validity period, if not specified).
  • 获得新的刷新令牌后,所有以前的刷新令牌和访问令牌都将失效。

一次性刷新令牌的优势

一次性刷新令牌具有以下安全优势:

  • Reduced effective token lifetime: When a legitimate application uses a refresh token, any stolen copies of the refresh token become invalidated. This single-use behavior makes distributing stolen tokens and using stolen tokens in timed attacks more difficult.

例如,如果您的应用程序每 10 分钟使用一次刷新令牌授予流程,则窃取刷新令牌的恶意行为者只能在 10 分钟内或应用程序获得新刷新令牌之前使用被盗令牌,即使该令牌的有效期为 90 天。

  • Intrusion detection: You cannot reuse a refresh token. When a refresh token is reused, all previous refresh tokens and access tokens become invalid.

例如,如果恶意行为者窃取了一次性刷新令牌并尝试重复使用该令牌,则尝试重复使用一次性刷新令牌会使之前的所有刷新令牌和访问令牌失效,从而暴露出刷新令牌的恶意使用行为。

启用一次性刷新令牌

当您使用授权码授予流程将授权码交换为访问令牌和刷新令牌时,可以启用刷新令牌轮换。

您可以使用以下任何一种方法启用一次性刷新令牌:

在 HTTP 请求正文中使用请求参数

A client application can set the enable_single_use_refresh_tokens request parameter to TRUE in the body of an HTTP POST request to the token request endpoint for Snowflake OAuth during the authorization code grant flow.

After a client application sets the enable_single_use_refresh_tokens request parameter to TRUE during the authorization code grant flow, all future refresh token grant flows return a new refresh token and a new access token, and invalidates all previous access tokens and refresh tokens.

For example, you can make the following HTTP POST request to do an authorization code grant flow and set the enable_single_use_refresh_tokens request parameter to TRUE to get your first access token and refresh token:

POST /oauth/token-request HTTP/1.1
Host: <my_subdomain>.snowflakecomputing.cn
Authorization: Basic <client_id:client_secret>
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ12345&redirect_uri=http://127.0.0.1:8080&enable_single_use_refresh_tokens=true

然后,您可以提出以下 HTTP POST 请求,使用旧的刷新令牌执行 刷新令牌授予流程,以获取新的访问令牌和新的刷新令牌:

POST /oauth/token-request HTTP/1.1
Host: <my_subdomain>.snowflakecomputing.cn
Authorization: Basic <client_id:client_secret>
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=<your_old_refresh_token>

在 Snowflake OAuth 安全集成中设置属性

If a client application updates its cached refresh token after each refresh token grant flow, then you can enable single-use refresh tokens for a Snowflake OAuth security integration by setting the OAUTH_SINGLE_USE_REFRESH_TOKENS_REQUIRED property to TRUE.

After you enable single-use refresh tokens for a Snowflake OAuth security integration, all authorization code grant flows and refresh token grant flows that use the client_id of the security integration issue single-use refresh tokens, regardless of whether the client application specifies the enable_single_use_refresh_tokens request parameter during an authorization code grant flow.

For example, you can use ALTER SECURITY INTEGRATION to enable single-use refresh tokens for a Snowflake OAuth security integration:

ALTER SECURITY INTEGRATION my_integration
  SET OAUTH_SINGLE_USE_REFRESH_TOKENS_REQUIRED = TRUE;