pleerock
Reputation: 18846
How do I handle OAuth refresh token?
When I authorize on my OAuth server it returns me access / refresh tokens:
access_token: "ZjJlMGM2MDcxNDg5MDQ1NzA4ZjkyNzRiOTIwM2E5MWI4N2M0MWU0ZD..."
expires_in: 3600
refresh_token: "NWZjMzQ3YjNjMmY5YTEzYzMxMDYzNGVhNzRiNjAxZTdmZTdjNzE3z..."
scope: null
token_type: "bearer"
How do I use them in my client side javascript application?
- Is it okay to save access token and refresh token in the cookies? (is it safe? - but anyway I dont see any other place where I can store them...)
- I can request protected resources like this: /api/user?access_token=TOKEN . And when I access them I really get my protected data successful. But what will happen when this access token expired? Will it be automatically refreshed, or do I need to handle it manually?
- Why do I need refresh token and when I should send it to the server?
Upvotes: 2
Views: 1247
Answers (1)
1234varun
Reputation: 239
three-legged ( User---client ---- Oauthserver)
1)In 3 legged authentication access Token is stored at the client side and is never transferred to the user.
two legged (user ----Oauthserver)
In 2 legged authentication the token is stored at the user side. Probably in the cookie.
2)When the token expires user explicitly has to use the refresh token to get a new auth token.
3) Each Auth token has an expiry and instead of reauthenticating itself with a username/password,User can present refresh Token to get a new valid Auth token.
Upvotes: 1
Related Questions
- FOSOAuthServerBundle access_token life time
- How to implement FosOAuthServerBundle to secure a REST API?
- Shouldn't the old access token be invalidated by a refresh call?
- Rest api authentication: how to get the token the first time
- How to set provider to oauth token
- Get refresh token with FOSOAuthServerBundle
- Symfony2 oauth2 server
- FOSOAuthServerBundle Create Client
- oauth2 how to deal with refresh token
- OAuth access token for internal calls