OAuth2和Google API:访问令牌过期时间? [英] OAuth2 and Google API: Access token expiration time?
问题描述
我们有一个独立的Java应用程序(请参阅安装的应用程序: https://developers.google .com / accounts / docs / OAuth2 ),它定期运行并使用google API(更新来自客户数据库/ ldap / ...的一些信息)。
要访问Google API,我们会将用户名和密码存储在配置文件中,这是一种安全风险,客户不喜欢这种情况。所以我们希望使用OAuth2长生存权限令牌。
Google OAuth2访问令牌的默认到期时间是什么?
我们将只能访问应用程序中的令牌,当访问令牌到期时,应用程序本身无法刷新它...
个人而言,我认为在这种情况下OAuth2实现不会带来任何重大利益,但让我们专注于主要问题 - 默认到期时间。 您不应该根据访问令牌的特定生命周期设计您的应用程序。假设他们(非常)短暂。然而,在成功完成OAuth2安装的应用程序流程后,您将获得刷新令牌。此刷新令牌永不过期,您可以根据需要使用它来交换访问令牌。保存刷新令牌,并使用它们按需获取访问令牌(应立即用于访问用户数据)。
编辑:我上面的评论尽管如此,有两种简单的方法可以获取访问令牌到期时间:
- 它是响应中的一个参数(
expires_in)当您交换刷新令牌时(使用/ o / oauth2 /令牌端点)。 更多详细信息。 -
还有一个API返回access_token的剩余生命周期: https ://www.googleapis.com/oauth2/v1/tokeninfo?access_token = {accessToken}
这将返回一个json数组,它将包含一个
expires_in参数,它是令牌生命周期中剩余的秒数。
We have a standalone Java application (see 'Installed application': https://developers.google.com/accounts/docs/OAuth2) which runs periodically and uses google API (updates some informations from customer databases/ldap/...).
To access Google APIs we store username and password in configuration file, which is a security risk and customer does not like that. So we would like to use OAuth2 long-living access token instead.
what`s default expiration time for Google OAuth2 access tokens ?
As we will have only access token in application, app itself cannot refresh it when access token expires...
Personally i think that OAuth2 implementation in this case will not bring any major benefit but let`s focus on main question - default expiration times.
You shouldn't design your application based on specific lifetimes of access tokens. Just assume they are (very) short lived.
However, after a successful completion of the OAuth2 installed application flow, you will get back a refresh token. This refresh token never expires, and you can use it to exchange it for an access token as needed. Save the refresh tokens, and use them to get access tokens on-demand (which should then immediately be used to get access to user data).
EDIT: My comments above notwithstanding, there are two easy ways to get the access token expiration time:
- It is a parameter in the response (
expires_in)when you exchange your refresh token (using /o/oauth2/token endpoint). More details. There is also an API that returns the remaining lifetime of the access_token:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={accessToken}
This will return a json array that will contain an
expires_inparameter, which is the number of seconds left in the lifetime of the token.
这篇关于OAuth2和Google API:访问令牌过期时间?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
