i'm using oauth as:
- a secondary method sign users web application (rather manually providing name, email , password)
- a way receive receive user data throughout website.
what considered best practice when storing access tokens? have 2 options:
- store access tokens in cookies
- store access tokens in database
what advantages , disadvantages of either choice?
regarding token expirations, should done handle this?
one way know handle checking whether there error when calling api , requesting new token , calling api again. when requesting new token, require user sign in again? imagine problem when page on website requires data facebook, retrieve it, users have log in.
i don't understand how other websites manage maintain access facebook, google or twitter apis without requiring me log in again, when i'm on device haven't once logged in facebook, twitter or google. how this? thanks.
if authentication done using google oauth2.0. google provides 2 tokens namely, access token , refresh token.
access tokens have limited lifetime 3600 seconds , refresh tokens valid longer period of time.
refresh token expire. read "token expiration" section of google oauth2.0 link
one can obtain new access token refresh token without re-login. rest api
so, 1 can have logic implemented check time elapsed after access token generated , take precautionary steps new access token generation. google tokens expire in 3600 seconds, 1 can access token after every 3500 seconds , update older access token stored new 1 further use. 1 other way be, set refresh token in googlecredential passed parameter(httprequestinitializer) while creating service of api.(for example drive.builder)
if not storing refresh token access token can regenerated, have authenticate again new token.
Comments
Post a Comment