如何理解OAuth 2.0 Key的生命周期
如果没理解错的话应该是Key过了一段时间就会失效吧?
那岂不是例如Fawave这种同步型微博程序,每过一段时间(新浪的话好像是7点)就要从新认证一次?
如果是的话,如何做到跟1.0一样只要认证一次的效果?
没安全提示问题
11 years, 6 months ago
Answers
下面是The OAuth 2.0 Authorization Framework中关于refresh_token的规定,注意黑体部分:
Refresh tokens are credentials used to obtain access tokens. Refreshtokens are issued to the client by the authorization server and areused to obtain a new access token when the current access tokenbecomes invalid or expires, or to obtain additional access tokenswith identical or narrower scope (access tokens may have a shorterlifetime and fewer permissions than authorized by the resourceowner). Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refreshtoken, it is included when issuing an access token (i.e. step (D) inFigure 1).
单独拿新浪来说,其token有效期与应用的授权级别有关:
授权级别 测试 普通 中级 高级 合作
授权有效期 1天 7天 15天 30天 90天
并且新浪有一个access_token授权自动延期方案:
如果用户在授权有效期内重新打开授权页授权(如果此时用户有微博登录状态,这个页面将一闪而过),那么新浪会为开发者自动延长access_token的生命周期,请开发者维护新授权后得access_token值。
相关链接:
The OAuth 2.0 Authorization Framework
http://tools.ietf.org/html/draft-ietf...
新浪授权机制说明
http://open.weibo.com/wiki/%E6%8E%88%...
albino
answered 11 years, 6 months ago