OAuth 授权流程 - 令牌过期 [英] OAuth grant flow - tokens expiration

问题描述

我正在开发一个使用 Outlook 日历 REST API 的 Android 应用.我正在尝试保持同步并更新多个用户(会议室)的日历.

I'm developing an Android app that uses Outlook Calendar REST API. I'm trying to keep in synch and updated the calendars of multiple users (meeting rooms).

我的问题是:

1) 初始授权码多久到期?

2) 而对于 刷新令牌 呢?

访问令牌会在 60 分钟后过期.如果刷新令牌在 6 小时、14 天或 90 天后过期，我无法获得.

The access token expires after 60 mins. I can't get if for the refresh token expires after 6 hours, 14 days or 90 days.

3) 后者是否可配置?我可以让它不过期吗?

3) Is the latter configurable? Can I make it not expire?

`

更新:(来自 https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx)

刷新令牌的生命周期未提供，并且根据策略设置和 Azure AD 撤销授权代码授予的时间而有所不同.应用程序应该预期并处理新访问令牌请求失败的情况.在这种情况下，它应该返回到请求新访问令牌的代码."

"The lifetime of the refresh token is not provided and varies based on policy settings and the time when the authorization code grant is revoked by Azure AD. The application should expect and handle cases when the request for a new access token fails. In that case, it should return to the code that requests a new access token."

还有:(来自 http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx)刷新令牌没有指定的生命周期.通常，刷新令牌的生命周期相对较长.但是，在某些情况下，刷新令牌过期、被撤销或缺乏所需操作的足够权限.客户端应用程序需要预期和处理令牌颁发端点正确返回的错误.当您收到带有刷新令牌错误的响应时，丢弃当前的刷新令牌并请求新的授权代码或访问令牌.特别是在授权代码授予流程中使用刷新令牌时，如果您收到带有interaction_required 或invalid_grant 错误代码的响应，请丢弃刷新令牌并请求新的授权代码."

And also: (from http://blogs.msdn.com/b/exchangedev/archive/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-exchange-online-in-office-365.aspx) "Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code."

那么我如何保证我的应用程序始终让所有用户都登录?

So how can I guarantee that my App will always have all the users logged in?

它会在夜间处于飞行模式，并且应该会自动从崩溃中恢复.我可以在不以编程方式存储凭据的情况下对用户进行身份验证的情况下解决吗?

It will be in airplane mode during the night and it should automatically recover from crashes as well. Can I solve without authenticating the users programmatically storing the credentials?

谢谢

推荐答案

答案:

1. 几分钟.确切的值是一个实现细节，可以随时更改.您应该尽一切努力在获得代码后立即兑换.
2. 请参阅 http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/
3. 截至今天，生命周期限制无法更改.我们正在开发可以让您拥有更多控制权的功能，但我们目前没有可分享的预计到达时间

保证用户登录的唯一方法是成功兑换刷新令牌，或通过身份验证流程.缓存凭据的使用仅限于极少数情况，并且可能会在即将推出的服务版本中被禁止.

The only way of guaranteeing that a user is signed in is to successfully redeem a refresh token, or to go through an authentication flow. Use of cached credentials is restricted to very few cases, and will likely be disallowed in upcoming versions of the service.

如果刷新令牌过期，您应该计划执行交互式身份验证.请注意，刷新令牌也可能因同意撤销而失效，这将要求在所有情况下进行交互.

If a refresh token expires, you should plan to perform an interactive authentication. Note that the refresh token might also be invalidated by a consent revocation, which will mandate interactivity in all cases.

这篇关于OAuth 授权流程 - 令牌过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！