如果您不使用Google的Oauth流程请求刷新令牌,当access_token过期时会发生什么?
[英]If you don't request a refresh token with Google's Oauth flow what happens when the access_token expires?
问题描述
I've been reading Google's oauth docs. 
我一直在阅读Google的oauth文档。 Here they talk about requesting a refresh token for "offline access". 在这里,他们谈论有关请求“脱机访问”的刷新令牌。
https://developers.google.com/accounts/docs/OAuth2WebServer#refresh https://developers.google.com/accounts/docs/OAuth2WebServer#refresh
I'm curious what happens if you don't request a refresh token and therefore you only have "online" access. 我很好奇,如果您不请求刷新令牌,那么您只有“在线”访问权限,那会发生什么。 But what happens when that access token expires. 但是,当该访问令牌过期时会发生什么。 Do you have to prompt the user to authorize you again? 您是否需要提示用户再次授权您? That sounds like a bad experience. 这听起来像是糟糕的经历。 Wouldn't you just always want to request a refresh token? 您不是总想请求刷新令牌吗?
1 个解决方案
解决方案1
0 已采纳 2014-05-03 03:16:17
Here is what happens: the flow starts again but depending on the browser/cookies configuration the user wont see this. 这是发生的情况:该流程再次开始,但是根据浏览器/ cookie的配置,用户将看不到这一点。 Internally some redirects happen and google gives you a new access token. 内部会发生一些重定向,Google会为您提供一个新的访问令牌。 Its called 'online' because the user is online (from a browser that did it before). 之所以称为“在线”,是因为用户在线(通过以前使用过的浏览器)。 In the 'offline' case you can do the call from anywhere like your backend and not from the user's browser while logged-in. 在“离线”情况下,您可以在登录后从任何地方(例如后端)拨打电话,而无需从用户的浏览器拨打电话。
You also need to be more careful in the offline case, like storing the refresh token in a secure place, and deal with all cases like the user manually revoking the token from https://security.google.com/settings/security/permissions 您还需要在离线情况下更加小心,例如将刷新令牌存储在安全的地方,并处理所有情况,例如用户从https://security.google.com/settings/security/permissions手动吊销令牌
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.