堆栈内存溢出
  简体   繁体   English

如何刷新令牌而不必再次通过身份验证? OAuth2

[英]How to refresh token without getting having to go through auth again? OAuth2

 原文  2019-11-29 10:32:59       authentication/ oauth/ oauth-2.0/ basic-authentication

问题描述

How to refresh the access token without having to go through the authentication process again with OAuth2??如何刷新访问令牌而无需再次使用 OAuth2 进行身份验证过程??

Right now if fetch user fails, I will do refresh token, but in order to do refresh token I must first receive a 401 unauthorized error.现在,如果获取用户失败,我将执行刷新令牌,但为了执行刷新令牌,我必须首先收到 401 未经授权的错误。

By the time I receive the 401 after not being able to do a request, i redirect to the login screen because if i dont redirect to the login screen, the subsequent requests will just not show up.当我在无法执行请求后收到 401 时,我重定向到登录屏幕,因为如果我不重定向到登录屏幕,后续请求将不会显示。

IF i used an expiration time, the token wouldn't refresh without first doing a request, but by the time the request is made the token had already expired.如果我使用了过期时间,则令牌不会在没有首先执行请求的情况下刷新,但是在发出请求时令牌已经过期。

What i am asking is what is the logic that i should use for refreshing access tokens so my app won't log out everytime the token expires and require another authentication.我要问的是我应该用于刷新访问令牌的逻辑是什么,这样我的应用程序就不会在每次令牌过期并需要另一个身份验证时注销。

I would like my app to function more like facebook or google where you stay logged in until you log out.我希望我的应用程序的功能更像 facebook 或 google,您可以在其中保持登录状态,直到您退出。

Thanks in advance.提前致谢。

1 个解决方案

解决方案1
 1 已采纳  2019-11-29 19:51:48

Could you let me know what type of app and tech stack you are using?你能告诉我你正在使用什么类型的应用程序和技术堆栈吗?

There are two times:有两次:

  • Access token lifetime - a short lived API credential (eg 60 minutes)访问令牌生命周期 - 短期 API 凭证(例如 60 分钟)

  • User session lifetime (usually represented by a refresh token - eg 12 hours)用户会话生命周期(通常由刷新令牌表示 - 例如 12 小时)

There are mechanisms to silently renew tokens client side.有一些机制可以悄悄地更新令牌客户端。 The general approach is to get a new token and retry the API call when you get a 401 due to access token expired, as in this class of mine.一般的方法是获取一个新的令牌并在由于访问令牌过期而获得 401 时重试 API 调用,就像我的这个类一样

How you get a new token depends on the type of app (mobile / SPA / cookie based web app)获取新令牌的方式取决于应用程序的类型(移动/SPA/基于 cookie 的网络应用程序)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 OAuth2:“auth_time”声明是否与刷新令牌到期相关? - OAuth2: Is the `auth_time` claim tied to the refresh token expiration? 如何在不访问身份验证服务器的情况下验证OAuth2访问令牌(JWT) - How to validate an OAuth2 access token (JWT) without accessing the auth server 从具有会话令牌的oauth2应用获取用户信息 - Getting information of user from oauth2 app having the session token Auth0锁定-Google oauth2无法获取refresh_token - Auth0 Lock - Google oauth2 unable to get refresh_token OAuth2 refresh_token授予 - OAuth2 refresh_token grant 保护Oauth2 refresh_token - Securing Oauth2 refresh_token 如何基于 Oauth2 协议的身份验证改进 JWT 访问令牌和刷新令牌? - How to improve a JWT access token and refresh token based on authentication with Oauth2 protocol? 获得oauth2令牌后该怎么办? - What to do after getting oauth2 token? 如何使用身份验证服务器的Oauth2访问令牌授权资源/应用程序服务器中的用户? - How to use Oauth2 access token of auth server to authorize users in resource/app server? 无法从身份验证服务器获取Oauth2令牌 - unable to get Oauth2 token from auth server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM