谷歌 OAuth 2.0:刷新access_token
[英]Google OAuth 2.0: Refresh access_token
问题描述
I have a server based application that will post appointment dates on a users google calendar.
我有一个基于服务器的应用程序,它将在用户的谷歌日历上发布约会日期。
The New User goes thru a process to grant my application permission to access their calendar.新用户通过一个过程来授予我的应用程序访问他们日历的权限。 I have NOT yet acquired approval from google so I'm still under the 100 user limit (I'm around 30 users).我还没有获得谷歌的批准,所以我仍然低于 100 个用户的限制(我大约有 30 个用户)。
I use HTTP and have been supplying the following as part of my initial OAuth request:我使用 HTTP 并在我最初的 OAuth 请求中提供了以下内容:
sprintf(TM.txt, "code=%s&client_id=%s&client_secret=%s&redirect_uri=%s&grant_type=authorization_code",
The last few months - the process normally redirects the user to google where they enter their email and password and then back to my server with an access token AND a refresh token.最近几个月 - 该过程通常将用户重定向到谷歌,在那里他们输入他们的 email 和密码,然后使用访问令牌和刷新令牌返回到我的服务器。 (I use the presence of refresh token to determine if the server has long-term access). (我使用刷新令牌的存在来确定服务器是否具有长期访问权限)。
Lately the initial request is NOT being redirected to google and the server is returned an access token but NOT a refresh token.最近初始请求没有被重定向到谷歌,服务器返回一个访问令牌而不是刷新令牌。
Searching stackoverflow for past posts, I found recommendations to add the following to the request but no refresh token is returned: &access_type=offline&prompt=consent在 stackoverflow 上搜索过去的帖子,我发现建议将以下内容添加到请求中,但没有返回刷新令牌: &access_type=offline&prompt=consent
Questions问题
Has something changed in the request process?
请求过程中有什么变化吗?What am I missing to receive a refresh token as I had in the past?
像过去一样,我缺少什么来接收刷新令牌?I know that if a refresh token was grated in the past - a new one can not be reacquired until the user kills the original approval by going to:
我知道如果一个刷新令牌在过去被磨碎 - 在用户通过以下方式取消原始批准之前无法重新获取新令牌:https://security.google.com/settings/security/permissions?pli=1
https://security.google.com/settings/security/permissions?pli=1
I have looked at these permissions for users that we have acquired permission and have a refresh token - but I do NOT see my application stated as a Third-Party App.我已经查看了我们已获得许可并拥有刷新令牌的用户的这些权限 - 但我没有看到我的应用程序被声明为第三方应用程序。 How should my App appear so that it could be dismissed if that action was required?我的应用程序应该如何显示,以便在需要该操作时可以将其关闭?
Thanks谢谢
This is the code that has been working for 3 months:这是已经运行了 3 个月的代码:
sprintf(TM.txt, "code=%s&client_id=%s&client_secret=%s&redirect_uri=%s&grant_type=authorization_code",
JSTR *Code,
"323191532401-fcagbr2kfmofgil2i2qch53p1whe27g9.apps.googleusercontent.com",
"j3dIGjj-c5d17bE-HVb2d67R",
"https://knowledgeispower.biz:8888/GoogleOuath" );
I have changed the values above so they are not the actual ones used.我已经更改了上面的值,所以它们不是实际使用的值。
1 个解决方案
解决方案1
0 2020-12-03 00:32:40
It's unclear what you mean by "initial OAuth request".目前尚不清楚“初始 OAuth 请求”是什么意思。 The OAuth2 process is as follows: OAuth2流程如下:
- you redirect your user to the authorization URL (the authorization request)您将用户重定向到授权 URL (授权请求)
- your user is redirected by Google to your redirect URL with a
code您的用户被谷歌重定向到您的重定向 URL code - you make a direct HTTP request to the token URL (the token request) with the
code您使用code向令牌 URL (令牌请求)发出直接 HTTP 请求
Assuming that what you meant by "initial OAuth request" is the authorization request , the structure of your authorization URL is incorrect:假设您所说的“初始 OAuth 请求”是授权请求,您的授权 URL 的结构是不正确的:
- You should not include a
codeparameter in the authorization URL (the code is returned to yourredirect_urias a query parameter to be used in the token request. As a note, I'm not sure what this value even is)您不应该在授权 URL 中包含code参数(该代码作为查询参数返回到您的redirect_uri以在令牌请求中使用。请注意,我什至不确定这个值是什么) - You should not include the
client_secretin the authorization URL. The client secret is meant to be a secret, known only by your application.您不应在授权 URL 中包含client_secret。客户端机密是一个秘密,只有您的应用程序知道。 If you've been including it in the URL, you should assume it is compromised, and you'll need new credentials from Google.如果您已将其包含在 URL 中,您应该假设它已被泄露,并且您需要来自 Google 的新凭据。 The client_secretshould only be included in server-side requests to Google to authorize your application.client_secret应仅包含在向 Google 发出的服务器端请求中,以授权您的应用程序。 - You must include a
scopesparameter.您必须包含scopes参数。 This tells Google what permissions your application is requesting这会告诉 Google 您的应用程序请求的权限 - You must include
access_type=offlineif you need a refresh token.如果您需要刷新令牌,则必须包含access_type=offline。 Without it, Google will not return one.没有它,谷歌将不会返回一个。 - You should include
prompt=consentif you may have requested access from this user before, but have not stored a refresh token for them.如果您之前可能已请求该用户的访问权限,但没有为他们存储刷新令牌,则您应该包括prompt=consent。 Withprompt=consent, Google will generate and return another refresh token to your application, even if the user has previously authorized it.使用prompt=consent,Google 将生成另一个刷新令牌并将其返回给您的应用程序,即使用户之前已授权它也是如此。
If, on the other hand, what you meant by "initial OAuth request" is the token request , then the issue is likely that you are adding the prompt and access_type parameters to the token request, rather than the authorization request (where they are required).另一方面,如果您所说的“初始 OAuth 请求”是令牌请求,那么问题很可能是您将prompt和access_type参数添加到令牌请求,而不是授权请求(需要它们的地方) ).
You might also consider using a managed OAuth provider, like Xkit (where I work), for something like this.您也可以考虑使用托管的 OAuth 提供程序,例如Xkit (我工作的地方),用于此类操作。 With a managed provider, you won't have to worry about Google changing their parameters, everything is handled for you.使用托管提供商,您不必担心 Google 会更改其参数,一切都会为您处理。 Just one request gets you an access token that always works.只需一个请求即可获得始终有效的访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.