[英]Google OAuth 2.0: Refresh access_token
I have a server based application that will post appointment dates on a users google calendar.我有一个基于服务器的应用程序,它将在用户的谷歌日历上发布约会日期。
The New User goes thru a process to grant my application permission to access their calendar.新用户通过一个过程来授予我的应用程序访问他们日历的权限。 I have NOT yet acquired approval from google so I'm still under the 100 user limit (I'm around 30 users).我还没有获得谷歌的批准,所以我仍然低于 100 个用户的限制(我大约有 30 个用户)。
I use HTTP and have been supplying the following as part of my initial OAuth request:我使用 HTTP 并在我最初的 OAuth 请求中提供了以下内容:
sprintf(TM.txt, "code=%s&client_id=%s&client_secret=%s&redirect_uri=%s&grant_type=authorization_code",
The last few months - the process normally redirects the user to google where they enter their email and password and then back to my server with an access token AND a refresh token.最近几个月 - 该过程通常将用户重定向到谷歌,在那里他们输入他们的 email 和密码,然后使用访问令牌和刷新令牌返回到我的服务器。 (I use the presence of refresh token to determine if the server has long-term access). (我使用刷新令牌的存在来确定服务器是否具有长期访问权限)。
Lately the initial request is NOT being redirected to google and the server is returned an access token but NOT a refresh token.最近初始请求没有被重定向到谷歌,服务器返回一个访问令牌而不是刷新令牌。
Searching stackoverflow for past posts, I found recommendations to add the following to the request but no refresh token is returned: &access_type=offline&prompt=consent
在 stackoverflow 上搜索过去的帖子,我发现建议将以下内容添加到请求中,但没有返回刷新令牌: &access_type=offline&prompt=consent
Questions问题
Has something changed in the request process?请求过程中有什么变化吗?
What am I missing to receive a refresh token as I had in the past?像过去一样,我缺少什么来接收刷新令牌?
I know that if a refresh token was grated in the past - a new one can not be reacquired until the user kills the original approval by going to:我知道如果一个刷新令牌在过去被磨碎 - 在用户通过以下方式取消原始批准之前无法重新获取新令牌:
https://security.google.com/settings/security/permissions?pli=1 https://security.google.com/settings/security/permissions?pli=1
I have looked at these permissions for users that we have acquired permission and have a refresh token - but I do NOT see my application stated as a Third-Party App.我已经查看了我们已获得许可并拥有刷新令牌的用户的这些权限 - 但我没有看到我的应用程序被声明为第三方应用程序。 How should my App appear so that it could be dismissed if that action was required?我的应用程序应该如何显示,以便在需要该操作时可以将其关闭?
Thanks谢谢
This is the code that has been working for 3 months:这是已经运行了 3 个月的代码:
sprintf(TM.txt, "code=%s&client_id=%s&client_secret=%s&redirect_uri=%s&grant_type=authorization_code",
JSTR *Code,
"323191532401-fcagbr2kfmofgil2i2qch53p1whe27g9.apps.googleusercontent.com",
"j3dIGjj-c5d17bE-HVb2d67R",
"https://knowledgeispower.biz:8888/GoogleOuath" );
I have changed the values above so they are not the actual ones used.我已经更改了上面的值,所以它们不是实际使用的值。
It's unclear what you mean by "initial OAuth request".目前尚不清楚“初始 OAuth 请求”是什么意思。 The OAuth2 process is as follows: OAuth2流程如下:
code
您的用户被谷歌重定向到您的重定向 URL code
code
您使用code
向令牌 URL (令牌请求)发出直接 HTTP 请求Assuming that what you meant by "initial OAuth request" is the authorization request , the structure of your authorization URL is incorrect:假设您所说的“初始 OAuth 请求”是授权请求,您的授权 URL 的结构是不正确的:
code
parameter in the authorization URL (the code is returned to your redirect_uri
as a query parameter to be used in the token request. As a note, I'm not sure what this value even is)您不应该在授权 URL 中包含code
参数(该代码作为查询参数返回到您的redirect_uri
以在令牌请求中使用。请注意,我什至不确定这个值是什么)client_secret
in the authorization URL. The client secret is meant to be a secret, known only by your application.您不应在授权 URL 中包含client_secret
。客户端机密是一个秘密,只有您的应用程序知道。 If you've been including it in the URL, you should assume it is compromised, and you'll need new credentials from Google.如果您已将其包含在 URL 中,您应该假设它已被泄露,并且您需要来自 Google 的新凭据。 The client_secret
should only be included in server-side requests to Google to authorize your application. client_secret
应仅包含在向 Google 发出的服务器端请求中,以授权您的应用程序。scopes
parameter.您必须包含scopes
参数。 This tells Google what permissions your application is requesting这会告诉 Google 您的应用程序请求的权限access_type=offline
if you need a refresh token.如果您需要刷新令牌,则必须包含access_type=offline
。 Without it, Google will not return one.没有它,谷歌将不会返回一个。prompt=consent
if you may have requested access from this user before, but have not stored a refresh token for them.如果您之前可能已请求该用户的访问权限,但没有为他们存储刷新令牌,则您应该包括prompt=consent
。 With prompt=consent
, Google will generate and return another refresh token to your application, even if the user has previously authorized it.使用prompt=consent
,Google 将生成另一个刷新令牌并将其返回给您的应用程序,即使用户之前已授权它也是如此。 If, on the other hand, what you meant by "initial OAuth request" is the token request , then the issue is likely that you are adding the prompt
and access_type
parameters to the token request, rather than the authorization request (where they are required).另一方面,如果您所说的“初始 OAuth 请求”是令牌请求,那么问题很可能是您将prompt
和access_type
参数添加到令牌请求,而不是授权请求(需要它们的地方) ).
You might also consider using a managed OAuth provider, like Xkit (where I work), for something like this.您也可以考虑使用托管的 OAuth 提供程序,例如Xkit (我工作的地方),用于此类操作。 With a managed provider, you won't have to worry about Google changing their parameters, everything is handled for you.使用托管提供商,您不必担心 Google 会更改其参数,一切都会为您处理。 Just one request gets you an access token that always works.只需一个请求即可获得始终有效的访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.