PHP oauth2如何使用refresh_token

I´m a bit puzzled how to use auth_ and refresh_token correctly in php.

I have registered a new client app with the oauth-provider. After that my app sends the client-id and secret to the oauth2-authorization-endpoint which returns following:

Array
(
    [result] => Array
        (
            [access_token] => qjdcshsmgwcuvi7hzpgxwqapfb8aoab60fmprk1g
            [expires_in] => 86400
            [token_type] => Bearer
            [scope] => basic
            [refresh_token] => whnutk9npmaikcn1bxbovleuqn9ggn9j00jgyiph
        )

    [code] => 200
    [content_type] => application/json
) 

Great, I can now query the API by use of access_token. BUT the access_token will expire in 24h and the whole dance will start again.

Questions:

  • where do I store the access_token that the whole process does not run on every request? A session will not be persistent, in a conf file, memcache a DB?)
  • How to deal with the refresh token should I save a timestamp in the session and check if a new access_token has to be requested?
php
doukui7574
doukui7574 由于您知道访问令牌将在24小时后到期,因此您可以根据您的请求轻松存储当前时间戳+24小时。您的应用程序还应该能够在无法续订访问令牌的情况下,因为该权限可能已被撤销。
接近 4 年之前 回复
douzhi2017
douzhi2017 谢谢你的回复。我的问题是我对auth流程感到困惑。我是否必须检查是否必须如上所述更新access_token,或者我是否开始此过程f.e.来自像401这样的错误回复?进一步我的问题是在php中永久存储令牌的位置。
接近 4 年之前 回复
duandazhen7306
duandazhen7306 这就是refresh_token的全部目的。如果你的access_token被泄露,它将不会被撤销,但是refresh_token会,所以没有人会使用这个令牌。使用此方法带来了向客户端发送访问令牌的优势。
接近 4 年之前 回复

1个回答



如果您只在用户在线时使用这些令牌(如登录到您的应用程序中),那么我会将其存储在 会话变量。 如果您还在用户不在线时也使用令牌,则建议将它们存储在数据库中。
在第一种情况下,每次用户登录时都会收到刷新令牌。在第二种情况下 ,您只会收到一次刷新令牌(即当用户将其第三方帐户链接到您的应用程序时)。</ p>

要回答您的第二个问题,建议存储到期日 access_token的时间戳。 </ p>
</ div>

展开原文

原文

If you only use those tokens when your user is online (as in signed in to your application), then I would store it in a session variable. If you'll also use the tokens when the user is not online, it would be recommended to store them in a database. In the first case, you'll receive a refresh token every time the user signs in. In the second case, you'll receive a refresh token only once (i.e. when the user links their 3rd party account to your application).

To answer your second question, it would be advisable to store the expiry timestamp with the access_token.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐