服务器端移除 Oauth 令牌 [英] Server side removal of Oauth token

问题描述

如果用户想从我们的服务中删除他/她自己，我们会从我们的数据库中删除他们的所有数据，包括 Oauth 令牌.我们拥有的 Oauth 令牌是安全且持久的.作为最佳实践的一部分，我们希望使令牌完全无效，就像他们想要访问他们的 Google 帐户页面并在那里将其删除一样.阅读 Oauth 文档时，我不清楚这是否可行，因为所有示例都与单会话或非安全案例有关(请原谅我缺少您尝试了什么?"-ism 但我正在尝试一起快速制定如何执行此操作的计划).

If a user wants to remove him/herself from our service, we delete all of their data from our database, including Oauth tokens. The Oauth tokens we have are secure and persistent. As part of best practice we would like to totally invalidate the tokens as if they want to their Google accounts page and removed it there. Reading the Oauth documentation it was not clear to me if this is possible because all of the examples pertained to single-session or non-secure cases (and excuse my lack of "What did you try?"-ism but I'm trying to get a quick plan together on how to do this).

所以

1) 这可能吗?最好是 1.0?

1) is this possible? Preferably on 1.0?

2) 如何做到这一点?

2) how to do this?

推荐答案

是的，您可以以编程方式撤销令牌，就像用户在其帐户设置页面中撤销访问权限一样.

Yes, you can revoke tokens programmatically as if the user revoked access in their accounts settings page.

对于 AuthSub 和 OAuth 1.0，使用 AuthSubRevoke 令牌端点OAuth 签名的请求:

For AuthSub and OAuth 1.0, use the AuthSubRevoke token endpoint by making an OAuth-signed request to:

https://www.google.com/accounts/AuthSubRevokeToken

对于 OAuth 2.0，使用撤销端点，例如:

For OAuth 2.0, use the revocation endpoint like:

https://accounts.google.com/o/oauth2/revoke?token={refresh_token}

这篇关于服务器端移除 Oauth 令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！