there's 2 ways fetch access token.
- use authorization code exchange it
- use refresh token refresh it
think it!!
though word of exchange , refresh different,what same.
both action need parse client id & client secret(or signature) , token
we can save authorization code in our system,and again use auth code refresh access token refresh token do.
except authorization code expired soon.
so wonder why designers of oauth2 designed these 2 concepts while not used 1 single concept or design authorization code , give long expired-time.
i afraid have not understood concepts of oauth2 well. there aren't 2 ways of getting access token, there more. each called 'grant type'. i'm describing use cases of ones have deployed below :
1- authorization code : similar flow of "login facebook" etc buttons see on different websites, allow register/login using facebook etc accounts. here, on clicking button, control directed facebook, user enters login credentials. if successful, authorization code sent whatever redirecturl entered while registering developer facebook. use authorization code request access token service access token use whenever accessing facebook webservices user's details.
2- client credentials : if running own webservices , want allow access valid clients, grant type use. example, running webservices , want consume in own native mobile app distribute through app store. ensure installed app able access webservice.
3- user credentials : same above, in case allow authenticate registered user , give access user restricted services account etc.
4- refresh token : design, access token service gives access token refresh token. use refresh token obtained here refresh expired access token. essentially, not generate new access token, "refreshes" existing token. give new access token , refresh token , extend expiry time. when access token expires, again call refresh token using refresh token obtained last time, , keep repeating process every time token expires.
Comments
Post a Comment