douqiao2471 2016-12-18 20:55
浏览 182
已采纳

Google OAuth2验证服务器流中的访问令牌

I'm manually writing OAuth2 Server Flow to allow users to login using Google (and other websites, but let's focus on Google).

I have the basic flow working:

  1. user clicks on the login link.
  2. goes to Google and sees consent screen.
  3. accepts.
  4. redirected back to my website.
  5. server takes relevant information and logs user in.

So far so good. Now I want to make sure that the server remembers the user for next time. For that I store the token along with other user data on the server.

Now, how do I check, server-to-server, if the token is still valid? I have it's expiration time, so I know it's invalid after that time passes, but what do I do then? Should I ask for a permanent (offline) token if I only want to allow login?

  • 写回答

1条回答 默认 最新

  • doujia7094 2016-12-23 08:12
    关注

    As a result of authorization success from Google, you should also get refresh_token. If you are not getting then do the following.

    1. when you are redirecting to Authorization endpoint add additional parameter access_type=offline which will make sure that you will get refresh_token
    2. Use refresh token to get additional access tokens.

    Now, for validating you can hit the token validation endpoint of Google, if you are not maintaining the state. If you are maintaining the state then you can validate the expiry of token if token is only signed, if encrypted then you have to validate from Google.

    You can play with different Google OAuth URLs here

    more details on token validation here

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改
  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上
  • ¥15 c程序不知道为什么得不到结果
  • ¥40 复杂的限制性的商函数处理
  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效