处理刷新令牌

I have a web api that uses OWIN Authentication in my ASP.NET WebAPI and I need to implement refresh token.

When users login, API sends a Access_Token, Expiry_Date(3 mins) and Refresh_token to client.

Then the tokens are saved in the client localStorage.

I know that the use of refresh_token is to get new access_token if the access_token is expired.

Now my problem is When to do this?

Do i need to check if the client still has a valid/un-expired access_token EVERY TIME i request for a data in the Web API? And if the access_token is expired, i need to request a new access_token right?

For example:

Client (Mobile hybrid app) request for data in api/orders (Web API).
The client detected that the access_token he uses is expired base on the Expiry_Date that was saved in the localStorage.
I need to "STOP" the request, get new access_token using refresh_token and then request the api/orders again. Basically doing THREE requests simultaneously? Seems to me a bit in efficient.

Or get the user to login again? I mean every 3 minutes the user needs to login? Which defeats the purpose of this.

Any idea how to handle it?

In this sample ajax request below, can someone have idea handle this?

$.ajax({
      type: 'GET',
      url: WEB_API_URL,
      data: data,
      dataType: 'json',
      beforeSend: function(xhr) {
         // need to check if the accessToken is expired
         xhr.setRequestHeader("Authorization", "Bearer " + accessToken);
       },
   }).

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
weixin_33690963 2014-06-11 07:35
关注
You should first get the tokens from your datastore. Check if they are valid for the next few seconds also. You don't want to run into a failed authorization because your request is delayed by something.

If the token is going to expire soon, use your refresh token to get new access token.

Then send your request to the Web Api.

In short;

1. Get token from datastore. 2. Check if token is valid. 3. If not valid, get new token. 4. Send request to Web Api.

I have no experience with Ajax, but with this flow you should be able to handle your request with a maximum of 2 request to your api.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

oauth2如何处理刷新令牌 php
2013-07-23 04:17

回答 1 已采纳 Here is my experience when implementing the oAuth library and api using this library. If you are
无法从google api OAuth2刷新令牌 php
2015-06-08 12:00

回答 1 已采纳 The refresh_token is not returned by default in Google OAuth2. The request for an authorization c
使用PHP的Google Drive API - 刷新令牌获取消息'刷新令牌的问题必须传入或设置为setAccessToken的一部分' php
2018-09-18 23:55

回答 1 已采纳 Finally the token refresh works, I had to add this line $client->setAccessType("offline"); in o
如何实现刷新令牌功能前端
2020-10-11 06:33

weixin_26714477的博客它假定API已准备好进行刷新令牌，并且将指导您如何实现前端方面。 THE PROBLEM 问题 The defacto way for building applications is to authenticate your users then when the backend invalidates their token ...
Spotify的OAuth无法使用curl获取刷新令牌 php
2016-01-31 05:44

回答 2 已采纳 The reason I was receiving a bad response is because I needed: curl_setopt($ch, CURLOPT_SSL_VERI
Google PHP SDK - 无法获取刷新令牌 php
2015-06-15 15:09

回答 2 已采纳 First check the settings in the developer console of Google to see if your RedirectUri is the same
当访问令牌在GO中过期时，如何使用Google刷新令牌？
2018-10-15 22:16

回答 1 已采纳 oauth2.Config has a function which can automatically refreshes the token. updatedToken, err := co
jwt身份令牌数据处理前后端分离式开发
2022-10-15 19:01

Bugxiu_fu的博客因为令牌的第一部分和第二部分都是用 Base64 编码的 3、签名(Signature) 前面两部分都是使用 Base64 进行编码的，即前端可以解开知道里面的信息。Signature 需要使用编码后的 header 和 payload 以及我们提供的一个...
尝试使用谷歌PHP API的刷新令牌 php
2015-08-23 12:58

回答 1 已采纳 The error in Notice: Undefined property: stdClass::$refresh_token in C:\xampp\htdocs\trial\log-in
无法刷新令牌，因为用户已更改 - Syfmony 4 - LDAP php symfony
2019-08-09 16:17

回答 1 已采纳 This issue has been fixed in symfony 4.4, in symfony/src/Symfony/Component/Ldap/Security/LdapUser
Google Adwords API。如何使用PHP库刷新令牌 php
2015-12-22 20:24

回答 1 已采纳 { "error" : "unauthorized_client" } This error means that a different google application client_
Web前端无痛刷新token
2023-02-06 16:57

冰颖&的博客小白必备知识点之无痛刷新
Golang Google云端硬盘Oauth2不返回刷新令牌
2017-03-09 23:58

回答 1 已采纳 The problem was not with the code, and the code works if you've never gone through the authorizati
前端axios实现登入过期token拦截刷新
2023-06-06 23:21

cv魔法师的博客 token如果设置过期时间太短，安全性提高了，但用户体验下降了，你也不想在入录表单的时候数据填好了，一保存就给我跳转到登入页面吧，这种...axios二次封封装，导入refresh-token.ts在axios响应拦截器处理刷新token。
访问令牌（AccessToken）与刷新令牌（RefreshToken）
2022-05-15 09:04

昨夜丶雨疏风骤.的博客闲着无聊的我又来了，今天介绍一下访问令牌（AccessToken）与刷新令牌（RefreshToken）。最近公司来了几个Java，然后空气顿时充满了学术的氛围，每天都弥漫着垃圾回收，内存分配，堆栈等等各种技术问题的讨论，竖起...
没有解决我的问题, 去提问

悬赏问题

¥80 关于海信电视聚好看安装应用的问题
¥15 vue引入sdk后的回调问题
¥15 求一个智能家居控制的代码
¥15 ad软件 pcb布线pcb规则约束编辑器where the object matpcb布线pcb规则约束编辑器where the object matchs怎么没有+15v只有no net
¥15 虚拟机vmnet8 nat模式可以ping通主机，主机也能ping通虚拟机，但是vmnet8一直未识别怎么解决，其次诊断结果就是默认网关不可用
¥20 求各位能用我能理解的话回答超级简单的一些问题
¥15 yolov5双目识别输出坐标代码报错
¥15 这个代码有什么语法错误
¥15 给予STM32按键中断与串口通信
¥15 使用QT实现can通信

处理刷新令牌

1条回答 默认 最新

悬赏问题

1条回答默认最新