2

I am trying to figure out how an access token in OAuth 2.0 should be used. To be more precise, I am trying to use the Google Plus API from a web application.

I am now able to get a code and from it an access token. The problem is that this token is only about 3600 seconds valid.

Is there a way to get another token without making the user go again through this process: https://developers.google.com/accounts/images/consent1.png because it seems a bit irritating. I know of the offline access and its refresh token, but it doesn't feel right to have permanent access to a user's account.

Do you have any ideas on how should I proceed?

4

1 回答 1

2

我绝对不是权威,但我相信答案是“不”。该offline令牌允许您在没有后续用户批准的情况下访问,但仅限于用户在首次进行身份验证时已经同意的范围。此外,用户可以随时撤销您的应用程序的访问权限,这与他们之前的同意相结合意味着他们都 a.) 知道他们允许什么;b.) 可以随时停止它。从表面上看,如果用户使用您的应用程序足够多,以至于他们必须不断获得新令牌,他们已经相信它会在您设置的范围内代表他们行事,而offline令牌是您将关系提升到新水平的一种方式:)

我意识到这可能比你所寻找的更哲学,所以如果它与你的情况不相关,请道歉。

于 2012-10-21T01:54:30.003 回答