如何使Google登录令牌的有效期超过1小时? [英] How to make Google sign-in token valid for longer than 1 hour?
问题描述
我已经成功实现了google登录.
I have implemented google sign-in successfully.
我能够验证用户身份,因此我收到令牌.但是令牌会在1小时后过期.
I am able to authenticate user and in response I receive token. However the token expires in 1 hour.
expires_in: "3600"
我尝试搜索文档- https://developers.google. com/identity/sign-in/web/reference -但找不到能延长令牌使用寿命的参数.
I tried searching in the docs - https://developers.google.com/identity/sign-in/web/reference - but cannot find a paramenter to extend the lifespan of the token.
https://developers.google.com/identity/sign -in/web/backend-auth
用户成功登录后,使用HTTPS将用户的ID令牌发送到您的服务器
after a user successfully signs in, send the user's ID token to your server using HTTPS
每个请求我都向服务器发送令牌:
I'm sending token with each request to the server:
endpoint/get?access_token=" + access_token
然后在服务器上我呼叫https://www.googleapis.com/oauth2/v3/tokeninfo
And then on the server I'm calling https://www.googleapis.com/oauth2/v3/tokeninfo
所以我有一个令牌,每个请求都经过了身份验证,但是tokeninfo方法工作1小时后返回 false ,我需要重新验证用户.
So I have a token, every request is authenticated, but after 1 hour of working the tokeninfo method returns false and I need to re-authenticate the user.
在我的代码中,我通过存储所有历史记录access_tokens进行了规避,如果客户端使用了旧令牌,我将检查历史数据并使用refresh_token 手动发行新令牌(我的权限之一是授予离线访问权限)
In my code I circumvented that by storing all the historical access_tokens and if client uses old token I check against historical data and manually issue new token using refresh_token (one of my permissions is to grant offline access)
是的,我很想知道:
- 如何延长
access_token的使用寿命?
- How to expand lifespan of the
access_token?
OR
- 鉴于使用寿命有限,如何确保在后端对请求进行身份验证?
推荐答案
正如@DaImTo所指出的,您不能延长access_token的寿命.您可以使用refresh_token来获得一个新的,但是通常如果您尝试在此客户端进行操作并拥有一台服务器,则应该重新考虑您的方法.
As @DaImTo noted, you can't extend the life of an access_token. You can get a new one using a refresh_token, but often if you're trying to do this client side and have a server, you should re-think your approach.
听起来您在这里执行了两个身份验证"-客户端针对服务器进行身份验证,以及服务器针对Google服务进行身份验证.现在,服务器应该保留刷新令牌-这样它就可以始终针对Google重新进行身份验证.听起来好像您正在努力在auth_token超时后如何针对服务器对客户端进行身份验证.
It sounds like there are two "authentications" that you're doing here - the client authenticating against the server, and the server authenticating against the Google service. Right now, the server should be holding onto the refresh token - so it can always re-authenticate against Google. It sounds like you're wrestling with how to authenticate your client against the server after the auth_token timeout.
通常,客户端不应该将access_token发送到服务器,也不应该将refresh_token发送给服务器.它的作用是在首次登录期间,客户端会获得一次代码(从Google获得)并将其交给服务器.服务器使用它与Google进行对话并获取access_token和refresh_token,确认用户已对自己进行身份验证,然后向客户端发送一些消息(通常是cookie),说:好,我已经对您进行了身份验证.这就是您保持的方式在我们接下来的对话中对自己进行身份验证."
In general, the client shouldn't send the access_token to the server, nor the refresh_token. What it does is during the first sign-in, the client gets a one-time code (from Google) which it hands to the server. The server uses this to talk to Google and get the access_token and refresh_token, confirming the user has authenticated themselves, and then sends something (usually a cookie) back to the client saying "ok, I've authenticated you. Here is how you keep authenticating yourself for the rest of our conversation."
后面的动作是非常标准的,与oauth本身无关.客户端和服务器随后将像往常一样进行通信-根本不会交换任何oauth内容,您依赖于cookie(或等效的cookie)来保持客户端-服务器身份验证.服务器继续使用auth令牌和刷新令牌与Google对话.
That later action is pretty standard and is unrelated to oauth itself. The client and server then communicate as they always do - no oauth stuff is exchanged at all, you're relying on the cookie (or equivalent) to keep up the client-server authentication. The server continues to use the auth token and refresh token to talk to Google.
https://developers.google.com/identity /sign-in/web/server-side-flow 我认为这是目前最好的指南.或者至少它是目前我能找到的最好的一个.至少有一个好的图表.
https://developers.google.com/identity/sign-in/web/server-side-flow I think is the best guide to this at the moment. Or at least it is the best one I can find at the moment. It has a good diagram, at least.
关键点是您正在与服务器交换名称明确的代码"(我称之为一次性代码").完成此操作后,服务器将通过Google进行身份验证-然后它具有访问/刷新令牌,您无需通过传递令牌即可与服务器通信.
The key point is that you're exchanging the brilliantly named "code" with the server (what I was calling the "one-time code"). Once you have done that, the server authenticates you with Google - and it then has the access/refresh tokens and you communicate with the server without having to pass those.
这篇关于如何使Google登录令牌的有效期超过1小时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
