如何使 Google 登录令牌的有效期超过 1 小时? [英] How to make Google sign-in token valid for longer than 1 hour?
问题描述
我已成功实施谷歌登录.
我能够对用户进行身份验证,作为响应,我收到了令牌.但是令牌会在 1 小时后过期.
expires_in: "3600"
我尝试在文档中搜索 -
<小时>我真正想要做什么?
https://developers.google.com/identity/sign-在/web/backend-auth
<块引用>在用户成功登录后,使用 HTTPS 将用户的 ID 令牌发送到您的服务器
我正在向服务器发送每个请求的令牌:
endpoint/get?access_token="+ access_token
然后在服务器上我调用 https://www.googleapis.com/oauth2/v3/tokeninfo
所以我有一个令牌,每个请求都经过身份验证,但是 tokeninfo 方法在工作 1 小时后返回 false,我需要重新对用户进行身份验证.
在我的代码中,我通过存储所有历史 access_tokens 来规避这一点,如果客户端使用旧令牌,我会检查历史数据并使用 refresh_token 手动发布新令牌 (我的权限之一是授予离线访问权限)
是的,我很想知道:
- 如何延长
access_token的使用寿命?
或
- 鉴于生命周期有限,如何确保请求在后端得到验证?
正如@DaImTo 所指出的,您无法延长 access_token 的生命周期.您可以使用 refresh_token 获得一个新的,但通常如果您尝试在客户端执行此操作并拥有服务器,则应该重新考虑您的方法.
听起来您在这里进行了两项身份验证" - 客户端针对服务器进行身份验证,以及服务器针对 Google 服务进行身份验证.现在,服务器应该持有刷新令牌 - 因此它可以始终针对 Google 重新进行身份验证.听起来您正在苦恼如何在 auth_token 超时后针对服务器对您的客户端进行身份验证.
一般来说,客户端不应该向服务器发送 access_token,也不应该发送 refresh_token.它所做的是在第一次登录期间,客户端获得一个一次性代码(来自 Google),并将其交给服务器.服务器使用它与 Google 对话并获取 access_token 和 refresh_token,确认用户已对自己进行身份验证,然后将某些内容(通常是 cookie)发送回客户端说好的,我已经对你进行了身份验证.这是你保持的方式在我们接下来的谈话中验证自己."
后面的操作非常标准,与 oauth 本身无关.然后客户端和服务器像往常一样进行通信 - 根本不交换 oauth 内容,您依靠 cookie(或等效物)来保持客户端-服务器身份验证.服务器继续使用身份验证令牌和刷新令牌与 Google 对话.
https://developers.google.com/identity/sign-in/web/server-side-flow 我认为这是目前最好的指南.或者至少它是我目前能找到的最好的.至少它有一个很好的图表.
关键点是您正在与服务器交换命名巧妙的代码"(我称之为一次性代码").完成此操作后,服务器会通过 Google 对您进行身份验证 - 然后它会获得访问/刷新令牌,您无需通过这些令牌即可与服务器进行通信.
I have implemented google sign-in successfully.
I am able to authenticate user and in response I receive token. However the token expires in 1 hour.
expires_in: "3600"
I tried searching in the docs - https://developers.google.com/identity/sign-in/web/reference - but cannot find a paramenter to extend the lifespan of the token.
What I'm actually trying to do?
https://developers.google.com/identity/sign-in/web/backend-auth
after a user successfully signs in, send the user's ID token to your server using HTTPS
I'm sending token with each request to the server:
endpoint/get?access_token=" + access_token
And then on the server I'm calling https://www.googleapis.com/oauth2/v3/tokeninfo
So I have a token, every request is authenticated, but after 1 hour of working the tokeninfo method returns false and I need to re-authenticate the user.
In my code I circumvented that by storing all the historical access_tokens and if client uses old token I check against historical data and manually issue new token using refresh_token (one of my permissions is to grant offline access)
So yes, I'd be very interested to know:
- How to expand lifespan of the
access_token?
OR
- Given the limited lifespan how to ensure requests are authenticated on the backend?
As @DaImTo noted, you can't extend the life of an access_token. You can get a new one using a refresh_token, but often if you're trying to do this client side and have a server, you should re-think your approach.
It sounds like there are two "authentications" that you're doing here - the client authenticating against the server, and the server authenticating against the Google service. Right now, the server should be holding onto the refresh token - so it can always re-authenticate against Google. It sounds like you're wrestling with how to authenticate your client against the server after the auth_token timeout.
In general, the client shouldn't send the access_token to the server, nor the refresh_token. What it does is during the first sign-in, the client gets a one-time code (from Google) which it hands to the server. The server uses this to talk to Google and get the access_token and refresh_token, confirming the user has authenticated themselves, and then sends something (usually a cookie) back to the client saying "ok, I've authenticated you. Here is how you keep authenticating yourself for the rest of our conversation."
That later action is pretty standard and is unrelated to oauth itself. The client and server then communicate as they always do - no oauth stuff is exchanged at all, you're relying on the cookie (or equivalent) to keep up the client-server authentication. The server continues to use the auth token and refresh token to talk to Google.
https://developers.google.com/identity/sign-in/web/server-side-flow I think is the best guide to this at the moment. Or at least it is the best one I can find at the moment. It has a good diagram, at least.
The key point is that you're exchanging the brilliantly named "code" with the server (what I was calling the "one-time code"). Once you have done that, the server authenticates you with Google - and it then has the access/refresh tokens and you communicate with the server without having to pass those.
这篇关于如何使 Google 登录令牌的有效期超过 1 小时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
