处理刷新令牌

I have a web api that uses OWIN Authentication in my ASP.NET WebAPI and I need to implement refresh token.

When users login, API sends a Access_Token, Expiry_Date(3 mins) and Refresh_token to client.

Then the tokens are saved in the client localStorage.

I know that the use of refresh_token is to get new access_token if the access_token is expired.

Now my problem is When to do this?

Do i need to check if the client still has a valid/un-expired access_token EVERY TIME i request for a data in the Web API? And if the access_token is expired, i need to request a new access_token right?

For example:

Client (Mobile hybrid app) request for data in api/orders (Web API).
The client detected that the access_token he uses is expired base on the Expiry_Date that was saved in the localStorage.
I need to "STOP" the request, get new access_token using refresh_token and then request the api/orders again. Basically doing THREE requests simultaneously? Seems to me a bit in efficient.

Or get the user to login again? I mean every 3 minutes the user needs to login? Which defeats the purpose of this.

Any idea how to handle it?

In this sample ajax request below, can someone have idea handle this?

$.ajax({
      type: 'GET',
      url: WEB_API_URL,
      data: data,
      dataType: 'json',
      beforeSend: function(xhr) {
         // need to check if the accessToken is expired
         xhr.setRequestHeader("Authorization", "Bearer " + accessToken);
       },
   }).

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
weixin_33690963 2014-06-11 07:35
关注
You should first get the tokens from your datastore. Check if they are valid for the next few seconds also. You don't want to run into a failed authorization because your request is delayed by something.

If the token is going to expire soon, use your refresh token to get new access token.

Then send your request to the Web Api.

In short;

1. Get token from datastore. 2. Check if token is valid. 3. If not valid, get new token. 4. Send request to Web Api.

I have no experience with Ajax, but with this flow you should be able to handle your request with a maximum of 2 request to your api.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

oauth2如何处理刷新令牌 php
2013-07-23 04:17

回答 1 已采纳 Here is my experience when implementing the oAuth library and api using this library. If you are
使用PHP的Google Drive API - 刷新令牌获取消息'刷新令牌的问题必须传入或设置为setAccessToken的一部分' php
2018-09-18 23:55

回答 1 已采纳 Finally the token refresh works, I had to add this line $client->setAccessType("offline"); in o
无法从google api OAuth2刷新令牌 php
2015-06-08 12:00

回答 1 已采纳 The refresh_token is not returned by default in Google OAuth2. The request for an authorization c
如何实现刷新令牌功能前端
2020-10-11 06:33

weixin_26714477的博客它假定API已准备好进行刷新令牌，并且将指导您如何实现前端方面。 THE PROBLEM 问题 The defacto way for building applications is to authenticate your users then when the backend invalidates their token ...
Spotify的OAuth无法使用curl获取刷新令牌 php
2016-01-31 05:44

回答 2 已采纳 The reason I was receiving a bad response is because I needed: curl_setopt($ch, CURLOPT_SSL_VERI
Google PHP SDK - 无法获取刷新令牌 php
2015-06-15 15:09

回答 2 已采纳 First check the settings in the developer console of Google to see if your RedirectUri is the same
当访问令牌在GO中过期时，如何使用Google刷新令牌？
2018-10-15 22:16

回答 1 已采纳 oauth2.Config has a function which can automatically refreshes the token. updatedToken, err := co
前端怎样处理Token的问题
2022-08-19 21:45

Mr.指尖舞者的博客在axios的每个请求发起前进行拦截，根据expires_in判断token是否过期，如果过期则会刷新后再继续请求接口优点：请求前拦截处理，能节省请求次数缺点：后端需要提供Token过期时间字段（例如：expires_in），并且...
尝试使用谷歌PHP API的刷新令牌 php
2015-08-23 12:58

回答 1 已采纳 The error in Notice: Undefined property: stdClass::$refresh_token in C:\xampp\htdocs\trial\log-in
无法刷新令牌，因为用户已更改 - Syfmony 4 - LDAP php symfony
2019-08-09 16:17

回答 1 已采纳 This issue has been fixed in symfony 4.4, in symfony/src/Symfony/Component/Ldap/Security/LdapUser
Google Adwords API。如何使用PHP库刷新令牌 php
2015-12-22 20:24

回答 1 已采纳 { "error" : "unauthorized_client" } This error means that a different google application client_
jwt身份令牌数据处理前后端分离式开发
2022-10-15 19:01

Bugxiu_fu的博客因为令牌的第一部分和第二部分都是用 Base64 编码的 3、签名(Signature) 前面两部分都是使用 Base64 进行编码的，即前端可以解开知道里面的信息。Signature 需要使用编码后的 header 和 payload 以及我们提供的一个...
Golang Google云端硬盘Oauth2不返回刷新令牌
2017-03-09 23:58

回答 1 已采纳 The problem was not with the code, and the code works if you've never gone through the authorizati
Web前端无痛刷新token
2023-02-06 16:57

冰颖&的博客小白必备知识点之无痛刷新
访问令牌（AccessToken）与刷新令牌（RefreshToken）
2022-05-15 09:04

昨夜丶雨疏风骤.的博客闲着无聊的我又来了，今天介绍一下访问令牌（AccessToken）与刷新令牌（RefreshToken）。最近公司来了几个Java，然后空气顿时充满了学术的氛围，每天都弥漫着垃圾回收，内存分配，堆栈等等各种技术问题的讨论，竖起...
没有解决我的问题, 去提问

悬赏问题

¥15 树莓派与pix飞控通信
¥15 自动转发微信群信息到另外一个微信群
¥15 outlook无法配置成功
¥30 这是哪个作者做的宝宝起名网站
¥60 版本过低apk如何修改可以兼容新的安卓系统
¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
¥50 有数据，怎么建立模型求影响全要素生产率的因素
¥50 有数据，怎么用matlab求全要素生产率
¥15 TI的insta-spin例程
¥15 完成下列问题完成下列问题

处理刷新令牌

1条回答 默认 最新

悬赏问题

1条回答默认最新