dongsuiying7773
2016-12-31 13:17
浏览 314
已采纳

PHP oauth2如何使用refresh_token

I´m a bit puzzled how to use auth_ and refresh_token correctly in php.

I have registered a new client app with the oauth-provider. After that my app sends the client-id and secret to the oauth2-authorization-endpoint which returns following:

Array
(
    [result] => Array
        (
            [access_token] => qjdcshsmgwcuvi7hzpgxwqapfb8aoab60fmprk1g
            [expires_in] => 86400
            [token_type] => Bearer
            [scope] => basic
            [refresh_token] => whnutk9npmaikcn1bxbovleuqn9ggn9j00jgyiph
        )

    [code] => 200
    [content_type] => application/json
) 

Great, I can now query the API by use of access_token. BUT the access_token will expire in 24h and the whole dance will start again.

Questions:

  • where do I store the access_token that the whole process does not run on every request? A session will not be persistent, in a conf file, memcache a DB?)
  • How to deal with the refresh token should I save a timestamp in the session and check if a new access_token has to be requested?
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongshao1021 2016-12-31 13:52
    已采纳

    If you only use those tokens when your user is online (as in signed in to your application), then I would store it in a session variable. If you'll also use the tokens when the user is not online, it would be recommended to store them in a database. In the first case, you'll receive a refresh token every time the user signs in. In the second case, you'll receive a refresh token only once (i.e. when the user links their 3rd party account to your application).

    To answer your second question, it would be advisable to store the expiry timestamp with the access_token.

    已采纳该答案
    打赏 评论

相关推荐 更多相似问题