简体繁体 English

Github OAuth API 访问令牌的生命周期是多少

[英]whats the lifetime of Github OAuth API access token

原文 2014-11-13 06:23:22 6 3 github/ github-api

what is the expiry time of github oauth access token. github oauth 访问令牌的到期时间是多少。 And also how do I renew it.还有我如何更新它。 I don't see any refresh token in their documentation.我在他们的文档中没有看到任何刷新令牌。 Please guide me.请指导我。 Thanks in advance.提前致谢。

3 个解决方案

As commented in this " GitHub OAuth Busy Developer's Guide "正如这篇“ GitHub OAuth Busy Developer's Guide ”中所评论的

Tokens don't have to expire.令牌不必过期。
They only send back the access token and an expiration (field " expires_in ", seen as far back as 2013 ) if the offline_access scope is not requested (as it is the case for a refresh token ).如果没有请求offline_access范围（就像刷新令牌的情况一样），它们只会发回访问令牌和到期时间（字段“ expires_in ”，可以追溯到 2013 年）。
Right now, GitHub just assumes all apps want offline access.现在，GitHub 只是假设所有应用程序都需要离线访问。

You can check an OAuth application authorization , delete it or revoke it.您可以检查OAuth 应用程序授权、删除它或撤销它。
But the token itself doesn't seem to be bound to an expiry date.但令牌本身似乎不受到期日的约束。

badsyntax adds in the comments : badsyntax 在评论中添加：

I also found this useful:我也发现这很有用：

"An OAuth token does not expire until the person who authorized the OAuth App revokes the token." “在授权 OAuth 应用程序的人撤销令牌之前，OAuth 令牌不会过期。”
From " Migrating OAuth Apps to GitHub Apps ".来自“将OAuth 应用程序迁移到 GitHub 应用程序”。

Stokito points out in the comments to rfc6749 / 4.2.2 Access Token Response : Stokito 在 rfc6749 / 4.2.2 Access Token Response 的评论中指出：

expires_in

RECOMMENDED.受到推崇的。
The lifetime in seconds of the access token.访问令牌的生命周期（以秒为单位）。
For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.例如，值“3600”表示访问令牌将在响应生成后一小时内到期。
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.如果省略，授权服务器应该通过其他方式提供过期时间或记录默认值。

Generally, the access_token of GitHub has no expiry until you revoke the OAuth token.一般情况下，GitHub 的access_token在您撤销 OAuth 令牌之前不会过期。

You can consider to opt in to GitHub App expiration token beta feature.您可以考虑选择加入 GitHub App 过期令牌测试版功能。 This would make your app use expiring user tokens valid for 8hrs, and refresh tokens valid for 6 months这将使您的应用程序使用有效期为 8 小时的过期用户令牌，并使用有效期为 6 个月的刷新令牌

Here's an official step by step guide这是官方的分步指南

GitHub will automatically revoke an OAuth token or personal access token when the token hasn't been used in one year . GitHub OAuth 令牌或个人访问令牌在一年内未使用时将自动撤销。

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation#token-expired-due-to-lack-of-use https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation#token-expired-due-to-lack-of-use

Interestingly, some other OAuth providers issue short-lived access tokens and long-lived refresh tokens, as suggested discretionally in the OAuth spec .有趣的是，其他一些 OAuth 提供商发布了短期访问令牌和长期刷新令牌，正如OAuth 规范中酌情建议的那样。 For example, Git Lab OAuth "access tokens expire in two hours" and each refresh token may only be used once.例如，Git实验室OAuth “访问令牌将在两小时后过期”并且每个刷新令牌只能使用一次。 This mitigates the damage that stolen access tokens can do.这减轻了被盗访问令牌可能造成的损害。