douding_1073 2013-07-23 04:17
浏览 812
已采纳

oauth2如何处理刷新令牌

I have been trying to implement my own OAuth2 Provider and I am a little stuck in the refresh_token part. How am I suppose to deal with it?Am I supposed to check for refresh_token in the API or in the client side? If I am a unclear Ill give a scenario:

Suppose I have a function in the API side checkToken which checks if the token is invalid or expired. I pass the invalid test easily. Then I check for the expired part. So the tricky part is here for me. In the function checkToken should I add

if(findRefreshToken($client_id, $user_id)) {
  $this->grantRefreshToken($client_id, $client_secret, $user_id);
} else {
   $this->error(401, 'Token expired');
}

Or should I only have error 401 and the client finds what to do with it?

  • 写回答

1条回答 默认 最新

  • duanlei20082008 2013-07-23 06:01
    关注

    Here is my experience when implementing the oAuth library and api using this library.

    1. If you are implementing it as a library,you need to have checkToken and refreshToken seperately.So the api(depending on the requirement) can decide whether to refresh token or not while checking/verifing the token.

    2. When doing in the api, again it depends on the requirement.if the requirement is that the user session should be active for some time(say 4 hours) from his last access, then it is better to refresh token every time you are checking/validating the token. The same refresh token can be done on the client,but the issue will be that the client has to call refresh token after every api call,which means there will 2 calls for every single api.

    Hope this will clarify.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥188 寻找能做王者评分提取的
  • ¥15 matlab用simulink求解一个二阶微分方程,要求截图
  • ¥30 乘子法解约束最优化问题的matlab代码文件,最好有matlab代码文件
  • ¥15 写论文,需要数据支撑
  • ¥15 identifier of an instance of 类 was altered from xx to xx错误
  • ¥100 反编译微信小游戏求指导
  • ¥15 docker模式webrtc-streamer 无法播放公网rtsp
  • ¥15 学不会递归,理解不了汉诺塔参数变化
  • ¥15 基于图神经网络的COVID-19药物筛选研究
  • ¥30 软件自定义无线电该怎样使用