LinkedIn的访问令牌续订流程是否可以在服务器上执行?

时间:2013-12-10 02:16:52

标签: api oauth oauth-2.0 linkedin

在Facebook的Graph API中,一旦我们最初对用户进行了身份验证,我们就可以直接与API(来自服务器)进行交互,以获得长期存在的页面访问令牌。这个长期存在的页面访问令牌永不过期。 (https://developers.facebook.com/docs/facebook-login/access-tokens/

在阅读LinkedIn的文档时,似乎无法获得具有无限期(非过期)访问令牌的访问令牌。它们似乎每60天就会过期一次。但是,这些访问令牌可以在60天之前刷新。

文档中不完全清楚的是,在没有客户端交互的情况下,是否可以在服务器上单独执行访问令牌续订。文档的语言表明客户端(浏览器)的交互是必需的,但没有明确说明。

所以,我的问题是,是否可以单独使用服务器更新LinkedIn访问令牌,而无需客户端(浏览器)的交互?

相关LinkedIn参考资料:https://developer.linkedin.com/documents/handling-errors-invalid-tokens

2 个答案:

答案 0 :(得分:14)

事实证明,如果没有linkedin用户登录到linkedin,则无法刷新linkedin的访问令牌。请参阅LinkedIn员工的第一条评论here,其中明确说明了"this refresh will only work if the user is still logged into LinkedIn (authenticated) and the current access token isn't expired. Otherwise, the user will be presented with the login dialog again."

的注释

我想现在这对于那些以前将linkedin访问令牌存储到数据库供以后使用的人来说是一个主要问题。

我在这里提到一些链接,这些链接指的是刷新linkedin oauth2令牌的问题(希望这能让所有正在努力解决同一问题的人明白):

1) This refresh will only work if the user is still logged into LinkedIn (authenticated) and the current access token isn't expired. Otherwise, the user will be presented with the login dialog again.

2) There is no way to refresh the token using the old authentication token/secret. User needs to log into linkedin in order for you to refresh the tokens. We use this flow as it protects our members and their data in the best possible manner.

3) Refreshing an access token is very simple and can happen without an authorization dialog appearing for the user. In other words, it's a seamless process that doesn't affect your application's user experience. Simply have your application go through the authorization flow in order to fetch a new access token with an additional 60 day life span. When the following conditions exist: -User is still logged into Linkedin.com -The current access token isn't expired (within the 60 life span) We will automatically redirect the user back to your redirect_uri without requiring them to reauthorize your application. If they don't exist, we'll prompt them to login and then redirect them.

4) We have also standardized the duration of the authorization tokens. Previously, members could choose to grant tokens that were as short as one day or as long as forever. Now all tokens are 60 days in length, with the ability for you to extend them in a series of rolling 60 day increments whenever the member comes back to your application. To prevent a bad user experience in your application, be sure to proactively refresh tokens and elegantly route any expired tokens through a refresh flow.

5) As long as the user is logged into LinkedIn and their current access token hasn't expired, you can fetch an access token with a 60 day lifespan the next time the user comes to your application.

答案 1 :(得分:2)

我有同样的问题,LinkedIn文档和论坛帖子令人困惑,但我现在很确定,如果没有用户干预就不可能以编程方式进行(即用户需要通过LinkedIn身份验证登录到您的应用程序刷新令牌。)

相关问题
最新问题