关于OAuth的问题 [英] Questions about OAuth
问题描述
我想为v9实施OAuth。我浏览了
this 链接,我明白了我将使用授权授权流程。
I want to implement OAuth for v9. I went through this link, and I understand that I will be using authorization grant flow.
我有以下问题:
- 授权码是否是仅使用一次?
一旦用户同意,我不想再次要求同意。我该如何做到这一点?
我应该:
a)存储授权码并重复步骤4(授权授权流程)并获得新的访问&每次应用程序启动时刷新令牌?
或
b)存储刷新令牌在步骤5中获取并在每次应用程序启动时请求新的访问令牌?
- 刷新令牌是否过期?如果是,如果刷新令牌在我的应用程序未运行时到期会发生什么?
当我再次启动我的应用程序时,我是否还需要再次征得用户同意?
- Is the authorization code to be used just once?
Once the user has given the consent, I do not wish to ask for consent ever again. How do I accomplish this?
Should I:
a) Store the authorization code and and repeat step 4 (Authorization grant flow) and get new access & refresh tokens each time the application starts? OR
b) Store the refresh token obtained in step 5 and request for a new access token each time the application starts?
- Does the refresh token expire? If yes, what happens if the refresh token expires while my application is not running?
When I start my application again, will I have to ask for user consent again?
谢谢,
Aradhya
推荐答案
你好。
是的,您应该安全地存储刷新令牌,并请求带有刷新令牌的新访问令牌。授权服务保留随时使刷新令牌无效的权利,但在实践中您应该期望它们是持久的。作为
最佳实践,您应该存储最近检索到的刷新令牌,而不是保留原始令牌。
Yes you should securely store the refresh token, and request a new access token with refresh token. The authorization service reserves the right to invalidate a refresh token anytime, but in practice you should expect they are persistent. As a best practice you should store the most recently retrieved refresh token, and not keep the original.
如果Microsoft帐户用户更改其密码或删除应用程序的权限以代表他们进行身份验证,则需要通过Web浏览器控件再次请求用户同意。
If the Microsoft Account user changes their password or removes permissions for your application to authenticate on their behalf, then you would need to request user consent again through a web browser control.
我希望这有帮助!
这篇关于关于OAuth的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
