Announcement Announcement Module
No announcement yet.
Handling of temporary OAuth tokens Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Handling of temporary OAuth tokens

    Shouldn't connections have an expiry time? Probably along with new methods in ConnectionRepository to update the token and expiry time.

  • #2
    I think what you're talking about is refreshing an OAuth 2 access token using the refresh token that was granted by the provider along with the access token. If so, then that's definitely in the plans for M3.


    • #3
      I'm not an expert for OAuth, that's why I planned using spring-social not sure what a refresh token is, gotta read up on this.

      What I'm talking about is FB's cookie-based login. Every time a user visits my site there will be new access_token and expire timestamp. How should this be handled? And how should/will expired access_tokens stored in DB be handled?


      • #4
        Facebook's a strange one in that their access tokens expire, but they don't support refresh tokens. So, there's only two ways of dealing with expired tokens in FB:

        - When it expires (either reacting to the expiration or to a 401 response) you'd need to send the user back to do FB authorization again.
        - Ask for "offline_access" permission so that you get a non-expiring token.

        If Facebook supported OAuth 2 refresh tokens, then you wouldn't have to'd just send in the refresh token to renew the life of the access token. (Hopefully Facebook will support refresh tokens at some point in the future...perhaps when the OAuth 2 spec is final.)

        In either event, these are scenarios that we're looking into addressing for M3.