刷新令牌太多 [英] Too many Refresh Tokens
问题描述
您好,
我们正在为我们的平台构建Bing Ads API集成。这个想法是每次我们的系统需要报告或放置Bing Ads时调用的jar。在工作日的8小时内,这种做法很多次。■
我们的整合正在发挥作用;我们成功获得了refresh_token和访问令牌。但是我们对这个过程有一些疑虑和担忧:
1.我们的访问令牌在一小时(3600秒)到期,那时我们得到一个新的refresh_token。此过程也会返回一个新的refresh_token。我们担心的是旧的刷新令牌同时存在。如果你将
推算为几天激烈的活动,我们将在一周内结束许多(超过100个)刷新令牌。按照api的工作方式,我们将获得与authentication_tokens过期一样多的实时refresh_tokens。
We are building a Bing Ads API integration for our platform. The idea of this is to be a jar that gets invoked every time our system needs reporting or placement of Bing Ads. This is done many times sparse during the 8 hours of workday.
Our integration is working; we are successfully getting a refresh_token and access token. But we have some doubts and concerns with the process:
1. Our access tokens expires on the hour (3600 seconds), at that time we get a new one with the refresh_token. This process returns a new refresh_token as well. Our concern is that the old a new refresh tokens are alive at the same time. If you extrapolate
this to several days of intense activity we are going to end up with many (over 100) refresh tokens in a week. Following the way the api works we are going to have as many live refresh_tokens as authentication_tokens expired.
我们是否正确地做事了?我们已经完成了这种类型的其他集成,我们总是使用一个通常不会过期的refresh_token,我们从来没有必要请求新的refresh_token(除非用户撤销我们的访问权限)。
Are we doing things correctly? We've done other integrations of this kind, and we always use one refresh_token that usually doesn't expire, we have never had to request a new refresh_token (unless the user revokes our access).
2。如果答案是1.我们正在做正确的事情。对于这种情况,哪种方法最好?是否有撤销刷新令牌或类似内容的API?
2. If the answer to 1. is that we are doing things correctly. Which is the best practice for this situation? Is there an API that revokes refresh tokens or similar?
感谢您的时间和帮助。
推荐答案
您好。
我们不建议您存储所有刷新令牌。只需要(安全地)存储最新的刷新令牌。虽然刷新令牌参数没有定义的有效期,但您应该期望它持续数月。作为最佳的
练习,刷新令牌应设置为检索到的最新刷新令牌的值。
We do not recommend that you store all refresh tokens. Only the most recent refresh token needs to be stored (securely). Whereas the refresh token parameter does not have a defined expiration period, you should expect it to last several months. As a best practice the refresh token should be set to the value of the most recent refresh token retrieved.
如果/当时,所有当前和之前的刷新令牌都将失效Microsoft帐户用户更改了密码,从可信设备列表中删除了设备,或删除了应用程序的权限,以便代表他们进行身份验证。
All current and previous refresh tokens will be invalidated if/when the Microsoft Account user changed their password, removed a device from their list of trusted devices, or removed permissions for your application to authenticate on their behalf.
有关相关信息,请参阅
使用OAuth管理用户身份验证。
For related information please see Managing User Authentication with OAuth.
我希望这有帮助!
这篇关于刷新令牌太多的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
