Tight coupling in application and server due to Auth

问题: I have to design a native mobile app which uses Access token with expiry time as 2 min. The application maintains a timer and it asks for new access token in every 2 min in...

问题:

I have to design a native mobile app which uses Access token with expiry time as 2 min. The application maintains a timer and it asks for new access token in every 2 min in background. I feel this design introduces a tight coupling between the server and the app of maintaining 2 mins time. In an ideal world, maintaining the life of access token shouldn't be applications responsibility. Am I missing something in the design? Is there any tutorial where communications between App and server is specified when using OAuth?


回答1:

You shouldn't have the access token timeout hardcoded in your application. You get it in the expiresIn response attribute from the /token endpoint. For more info, see the OAuth2 RFC.

As Paulw11 mentioned, it's not necessary to refresh the access token proactively. You can design your HTTP client the way takes both tokens (access and refresh token) and the access token expiration time as parameters and refreshes the access token if necessary before using it.

I'm not sure what you mean by "communications between App and server", but there is an RFC about OAuth2 for native apps.

  • 发表于 2019-01-16 15:51
  • 阅读 ( 204 )
  • 分类:网络文章

条评论

请先 登录 后评论
不写代码的码农
小编

篇文章

作家榜 »

  1. 小编 文章
返回顶部
部分文章转自于网络,若有侵权请联系我们删除