dongzhi8984 2015-01-19 06:58
浏览 45
已采纳

Google登录扩展令牌

My question:

How can I receive an extended token so the user won't be logged out after an hour or so? I intentionally requested an offline access because I read that I have to in order to receive a refresh token. But I'm not receiving it in the authResult java-script variable.

My code:

This is how my users sign in to my site with their Google account:

1 - A sign in button is presented.

<span id="signinButton">
    <span class="g-signin" data-callback="signinCallback" data-clientid="********.apps.googleusercontent.com" data-access_type="offline" data-cookiepolicy="single_host_origin" data-requestvisibleactions="http://schema.org/AddAction" data-scope="https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.profile.emails.read https://www.googleapis.com/auth/offline"></span>
</span>

2 - After the user click on the button, an ajax call is being made and the access token is passed on to the server.

function signinCallback(authResult) {

  if (authResult['status']['signed_in']) {
    //Shoot the ajax
    $.ajax({
        //...Send the access token to the server
    })
        .done(function(msg) {

            //...Do somthing after a sucessfull login

        });

  } else {
    //...
  }
}

3 - A PHP function receives the token and saves it in the $_SESSION variable for later use.

public function GoogleAuth($token) {

    $_SESSION['google_token'] = $token;

    #See that the token is valid
    $session_status = $this->GetSessionStatus($token, 'all');
    if ($session_status == false) {
        return $session_status;
    }

    #If token is valid, manage the registration/login process
    //...

}

4 - Here is the function that check if the token is valid:

public function GetSessionStatus($token) {

    $url = 'https://www.googleapis.com/oauth2/v1/userinfo';
    $params = 'access_token='.$token;

    $ch = curl_init($url . '?' . $params);

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
    if (!empty($headers)) curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_POST, false);
    curl_setopt($ch, CURLOPT_VERBOSE, true);

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

    $user = curl_exec($ch); 
    $user = json_decode($user);
    curl_close($ch);

    if (isset($user->id)) {
        return true;
    } else {
        return false;
    }

}

Again with my question in case you forgot :)

So this is how I handle the sign in. I'm not sure that I'm doing it properly, but it works. My question is how can I receive an extended token so the user won't be logged out after an hour or so. I intentionally requested an offline access because I read that I have to in order to receive a refresh token. But I'm not receiving it in the authResult java-script variable.

Edit: At end (how it was solved):

First, instead of using the $_SESSION, I used $_COOKIE. It's more permanent.

Second, I switch to all PHP sdk in order to receive the refresh token.

  • 写回答

1条回答 默认 最新

  • dongshi9719 2015-01-19 16:39
    关注

    Using Javascript means you're using the so-called OAuth 2.0 Implicit Grant and that grant type cannot return refresh tokens due to security constraints. The spec says in section https://tools.ietf.org/html/rfc6749#section-4.2.2:

    The authorization server MUST NOT issue a refresh token.

    This is because a Javascript client cannot securely store long lived tokens. It would be better for you to use a server side flow e.g. using the google-api-php-client so you can also store and reuse the refresh token in a secure way.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!