OAuth刷新令牌最佳做法 [英] OAuth Refresh Token Best Practice
问题描述
我正在为一个项目实现OAuth,我想知道处理刷新令牌的最佳方法.
I am implementing OAuth for a project, and I want to know the best way to handle refresh tokens.
我调用的API将返回带有access_token,expires_in和refresh_token的JSON对象. 所以我想知道,这样做更好吗?
The API I call will return a JSON object with access_token, expires_in, and refresh_token. So I was wondering, is it better to:
-
计算access_token过期的时间,并将其存储在数据库中.每次我进行API调用时,都要检查access_token是否没有过期,如果过期了,请使用refresh_token获取新的access_token.
Calculate the time when the access_token will expire, store that in the database. Check that the access_token is not expired every time I make an API call, and if it is expired then use the refresh_token to get a new access_token.
(其他问题:如何确保为令牌过期计算的时间是正确的?因为expire_in值可能始于API服务器生成密钥的时间,而不是我收到密钥的时间.)
(Additional Question: how do I make sure that the time which I calculate for the token expiration is accurate? Because the expire_in value probably starts from when the API server generated the key, and not when I receive it.)
或
- 只需尝试每次使用access_token进行API调用,如果返回错误,则使用refresh_token.
我也愿意接受实现此目的的其他选择.
I am also open to other options of implementing this.
推荐答案
客户端应始终准备好处理从API返回的错误,该错误指示access_token验证失败.取决于实现方式,否则访问令牌可能已被吊销或声明为无效.
The client should always be prepared to handle an error returned from the API that indicates that the access_token validation failed. Depending on the implementation the access token may have been revoked or declared invalid otherwise.
然后,客户端可以使用refresh_token获取新的访问令牌,然后重试.因此,您可以选择实施1,但也不能免于实施2.因此,您可以选择只实施2并尽量减少所需的代码量.
The client may then use a refresh_token to get a new access token and try again. So you can choose to implement 1. but it does not free you from implementing 2. as well, so you may choose to stick to only implementing 2 and minimize the amount of code required.
当然,如果您想尽可能避免发生错误,则可以实施1.在整个过程中优化调用数量并减少错误数量.
Of course if you want to prevent errors from happening as much as possible you could implement 1. to optimize the number of calls and reduce the number of errors in the whole process.
这篇关于OAuth刷新令牌最佳做法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
