可以在服务器上执行LinkedIn的访问令牌续订流程吗? [英] Can LinkedIn's access token renewal flow be performed on the server?

问题描述

在Facebook的Graph API中，一旦我们初步验证了用户身份，我们就可以直接与API交互(来自服务器)以获取长期的页面访问令牌.此寿命长的页面访问令牌永不过期. ( https://developers.facebook.com/docs/facebook-login/access -tokens/)

In the Facebook's Graph API, once we have initially authenticated the user, we can interact directly with the API (from the server) to obtain a long-lived page access token. This long-lived page access token never expires. (https://developers.facebook.com/docs/facebook-login/access-tokens/)

在阅读LinkedIn的文档时，似乎无法获得带有不确定(未过期)访问令牌的访问令牌.似乎它们每60天过期一次.但是，可以在60天之前刷新这些访问令牌.

In reading LinkedIn's documentation, it appears that it is impossible to obtain an access token with an indefinite (non-expiring) access token. It seems that they expire every 60 days. However, these access tokens can be refreshed before the 60 days is up.

文档中尚不完全清楚的是，是否可以在没有客户端交互的情况下仅在服务器上执行访问令牌更新.该文档的语言表明需要客户端(浏览器)的交互，但是没有明确说明.

What isn't entirely clear from the documentation is whether or not the access token renewal can be performed on the server alone without the client's interaction. The language of the documentation suggests that the interaction of the client (browser) is required, but nothing is explicitly stated.

所以，我的问题是，是否可以仅使用服务器来更新LinkedIn访问令牌，而无需客户端(浏览器)的交互?

So, my question is, is it possible to renew a LinkedIn access token using the server alone, without the interaction of the client (browser)?

相关的LinkedIn参考资料: https://developer.linkedin.com/documents /handling-errors-invalid-tokens

Relevant LinkedIn reference material: https://developer.linkedin.com/documents/handling-errors-invalid-tokens

推荐答案

事实证明，如果不让linkedin用户登录到linkedin，就无法刷新linkedin的访问令牌.请在此处中的第一条评论，其中明确指出了"this refresh will only work if the user is still logged into LinkedIn (authenticated) and the current access token isn't expired. Otherwise, the user will be presented with the login dialog again."

As it turns out, the access tokens of linkedin can not be refreshed without having linkedin user logging in to linkedin. Please refer to the first comment here by LinkedIn employee which clearly states a note that "this refresh will only work if the user is still logged into LinkedIn (authenticated) and the current access token isn't expired. Otherwise, the user will be presented with the login dialog again."

我想对于那些以前将linkedin访问令牌存储到数据库供以后使用的人来说，这是一个主要问题.

I guess that is now a major issue for those who were previously storing the linkedin access tokens to database for later use.

我在这里提到的链接很少，这些链接都涉及刷新linkedin oauth2令牌的问题(希望这对于所有正遇到同一问题的人来说都很清楚):

I am mentioning few links here which refer to the issue with refreshing linkedin oauth2 tokens (hope this makes it clear for everyone who is struggling with the same issue):

1)仅当用户仍登录到LinkedIn(已认证)并且 当前访问令牌尚未过期.否则，将向用户显示登录名 再次对话.

1) This refresh will only work if the user is still logged into LinkedIn (authenticated) and the current access token isn't expired. Otherwise, the user will be presented with the login dialog again.

2)无法使用旧的身份验证令牌刷新令牌/秘密.用户 需要登录linkedin才能刷新令牌.我们使用此流程 以最佳方式保护我们的会员及其数据.

2) There is no way to refresh the token using the old authentication token/secret. User needs to log into linkedin in order for you to refresh the tokens. We use this flow as it protects our members and their data in the best possible manner.

3)刷新访问令牌非常简单，并且可能未经授权而发生 为用户显示的对话框.换句话说，这是一个无缝的过程，不会影响 您的应用程序的用户体验.只需让您的应用程序通过 授权流程，以获取具有额外60天使用期限的新访问令牌.存在以下条件时: -用户仍登录Linkedin.com -当前访问令牌未过期(在60个生命周期内) 我们将自动将用户重定向回您的redirect_uri，而无需他们重新授权您的应用程序.如果不存在，我们将提示他们登录，然后重定向 他们.

3) Refreshing an access token is very simple and can happen without an authorization dialog appearing for the user. In other words, it's a seamless process that doesn't affect your application's user experience. Simply have your application go through the authorization flow in order to fetch a new access token with an additional 60 day life span. When the following conditions exist: -User is still logged into Linkedin.com -The current access token isn't expired (within the 60 life span) We will automatically redirect the user back to your redirect_uri without requiring them to reauthorize your application. If they don't exist, we'll prompt them to login and then redirect them.

4)我们还标准化了授权令牌的期限.以前，成员 可以选择授予短至一天或长至长久的令牌.现在全部 令牌的长度为60天，只要成员返回您的应用程序，令牌就可以按一系列连续60天的增量进行扩展.为防止您的应用程序出现不良的用户体验，请确保主动刷新令牌并通过刷新流程优雅地路由所有过期的令牌.

4) We have also standardized the duration of the authorization tokens. Previously, members could choose to grant tokens that were as short as one day or as long as forever. Now all tokens are 60 days in length, with the ability for you to extend them in a series of rolling 60 day increments whenever the member comes back to your application. To prevent a bad user experience in your application, be sure to proactively refresh tokens and elegantly route any expired tokens through a refresh flow.

5)只要用户登录到LinkedIn且其当前访问令牌为hasn尚未过期，您可以在用户下次访问您的应用程序时获取具有60天使用期限的访问令牌.

这篇关于可以在服务器上执行LinkedIn的访问令牌续订流程吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！