Reputation: 2981
Using access tokens
I am trying to figure out how an access token in OAuth 2.0 should be used. To be more precise, I am trying to use the Google Plus API from a web application.
I am now able to get a code and from it an access token. The problem is that this token is only about 3600 seconds valid.
Is there a way to get another token without making the user go again through this process: https://developers.google.com/accounts/images/consent1.png because it seems a bit irritating. I know of the offline access and its refresh token, but it doesn't feel right to have permanent access to a user's account.
Do you have any ideas on how should I proceed?
Upvotes: 2
Views: 180
Answers (1)
Reputation: 37249
I'm definitely not an authority, but I believe the answer is 'no'. The offline token allows you access without subsequent user approval, but only to the scopes to which the user already agreed when authenticating for the first time. Also, the user has the option of revoking your application's access at any time, which when combined with their previous consent means they both a.) know what they're allowing; and b.) can stop it at any time. Ostensibly, if a user uses your app enough that they constantly have to get a new token, they already trust it to act on their behalf within the scope you set, and the offline token is a way for you to take your relationship to the next level :)
I realize this is probably more philosophical than you were looking for, so apologies if it isn't pertinent to your situation.
Upvotes: 2
Related Questions
- How to handle access token in OAuth authorization flow?
- OAuth Request and Access Tokens
- OAuth2.0 Concept
- Access tokens using 2 legged Oauth 2.0 and Apache OauthClient
- Oauth2 access token specifications and handling scope
- OAuth 2.0 Authorization Server and Access Tokens
- Access Tokens in OAuth2?
- Access tokens and 2-legged OAuth2
- OAuth2 access token
- oAuth2.0 access token confusion