OAuth 刷新令牌最佳实践 [英] OAuth Refresh Token Best Practice
问题描述
我正在为一个项目实施 OAuth,我想知道处理刷新令牌的最佳方式.
I am implementing OAuth for a project, and I want to know the best way to handle refresh tokens.
我调用的 API 将返回一个带有 access_token、expires_in 和 refresh_token 的 JSON 对象.所以我想知道,是否更好:
The API I call will return a JSON object with access_token, expires_in, and refresh_token. So I was wondering, is it better to:
计算access_token的到期时间,存入数据库.每次调用 API 时检查 access_token 是否过期,如果过期则使用 refresh_token 获取新的 access_token.
Calculate the time when the access_token will expire, store that in the database. Check that the access_token is not expired every time I make an API call, and if it is expired then use the refresh_token to get a new access_token.
(附加问题:如何确保我计算的令牌到期时间准确?因为 expire_in 值可能从 API 服务器生成密钥时开始,而不是从我收到它时开始.)
(Additional Question: how do I make sure that the time which I calculate for the token expiration is accurate? Because the expire_in value probably starts from when the API server generated the key, and not when I receive it.)
或
- 每次尝试使用 access_token 进行 API 调用,如果返回错误,则使用 refresh_token.
我也愿意接受其他实施方案.
I am also open to other options of implementing this.
推荐答案
客户端应始终准备好处理从 API 返回的指示 access_token 验证失败的错误.根据实现,访问令牌可能已被撤销或以其他方式宣布无效.
The client should always be prepared to handle an error returned from the API that indicates that the access_token validation failed. Depending on the implementation the access token may have been revoked or declared invalid otherwise.
然后客户端可以使用 refresh_token 来获取新的访问令牌并重试.所以你可以选择实现 1. 但这并不能让你免于实现 2. ,所以你可以选择坚持只实现 2 并尽量减少所需的代码量.
The client may then use a refresh_token to get a new access token and try again. So you can choose to implement 1. but it does not free you from implementing 2. as well, so you may choose to stick to only implementing 2 and minimize the amount of code required.
当然,如果你想尽可能的避免错误的发生,你可以实现1.优化调用次数,减少整个过程中的错误次数.
Of course if you want to prevent errors from happening as much as possible you could implement 1. to optimize the number of calls and reduce the number of errors in the whole process.
这篇关于OAuth 刷新令牌最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
