I have to design a native mobile app which uses Access token
with expiry time as 2 min. The application maintains a timer and it asks for new access token
in every 2 min in background. I feel this design introduces a tight coupling between the server and the app of maintaining 2 mins time. In an ideal world, maintaining the life of access token
shouldn't be applications responsibility. Am I missing something in the design? Is there any tutorial where communications between App and server is specified when using OAuth
?
可以将文章内容翻译成中文,广告屏蔽插件会导致该功能失效:
问题:
回答1:
You shouldn't have the access token timeout hardcoded in your application. You get it in the expiresIn
response attribute from the /token
endpoint. For more info, see the OAuth2 RFC.
As Paulw11 mentioned, it's not necessary to refresh the access token proactively. You can design your HTTP client the way takes both tokens (access and refresh token) and the access token expiration time as parameters and refreshes the access token if necessary before using it.
I'm not sure what you mean by "communications between App and server", but there is an RFC about OAuth2 for native apps.