Chrome扩展需要从服务器端进行离线访问 [英] chrome extension needs offline access from server side
问题描述
我正在构建一个Chrome扩展。我使用 chrome.identity.getAuthToken
来获取access_token。这为我提供了客户端(浏览器)的access_token。现在我想将这个access_token传递给我的服务器。我想离线访问已授权的API,我知道为此我必须将它与长实时令牌和刷新令牌交换。有没有一种安全的方式将access_token传递给服务器?或者我应该使用htttp post?
另一种方法是将用户重定向到服务器,以便在那里有流量。
什么是最好和最安全的做法? 解决方案
我认为sever侧流最好使用authorization_code流获取refresh_token 。
使用客户端流程无法请求刷新令牌,Google会拒绝该请求使用消息 access_type脱机,不允许使用响应类型令牌
在服务器中安全地获取访问令牌和刷新令牌后,您可以将其发送给Chrome扩展,因此扩展程序无需在维护令牌时执行任何额外的过程,一旦令牌过期,您可以向服务器请求新的访问令牌,然后服务器将使用刷新令牌刷新访问令牌并发回给扩展程序。
I am building a chrome extension. I used chrome.identity.getAuthToken
to get the access_token. This provided me the access_token at the client side ( browser ) . Now I want to pass this access_token to my server. I want to have offline access to granted APIs, I understand that for this I have to exchange it with the long-live-token and refresh token. Is there a secure way to pass access_token to server? Or should I use htttp post?
Another way is to redirect the user to server to have both the flow there.
What is the best and most secure practice ?
I think sever side flow is best to obtain refresh_token using authorization_code flow.
Using the client side flow you cannot request refresh token , Google will reject that request With the message access_type offline, not allowed for response type token
Once you obtain the access token and refresh token securely in server you could send that to chrome extension , so extension doesn't have to do any extra process in maintaining token, once the token is expired you could request the server for new access token, then server will use the refresh token to refresh the access token and send back to the extension
这篇关于Chrome扩展需要从服务器端进行离线访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!