oauth2访问令牌过期

时间:2015-05-13 01:48:25

标签: php google-oauth google-oauth2

<?php
session_start();

require_once realpath(dirname(__FILE__) . '/Google/src/Google/autoload.php');

/************************************************
  ATTENTION: Fill in these values! Make sure
  the redirect URI is to this page, e.g:
  http://localhost:8080/user-example.php
 ************************************************/
 $client_id = 'xxxxx-1l76cd2vi4ik5oqm5s20nj965riu4hum.apps.googleusercontent.com';
 $client_secret = 'secret';
 $redirect_uri = 'http://www.audit.polydevs.co.uk/oauth2callback.php?login';

$client = new Google_Client();
$client->setClientId($client_id);
$client->setClientSecret($client_secret);
$client->setRedirectUri($redirect_uri);
$client->setScopes('email');

/************************************************
  If we're logging out we just need to clear our
  local access token in this case
 ************************************************/

if (isset($_REQUEST['logout'])) {
  unset($_SESSION['access_token']);
  header("Location: login.php");
}

if (isset($_REQUEST['logoutInvalid'])) {
    unset($_SESSION['access_token']);
    header("Location: login.php?invalid");
}

/************************************************
  If we have a code back from the OAuth 2.0 flow,
  we need to exchange that with the authenticate()
  function. We store the resultant access token
  bundle in the session, and redirect to ourself.
 ************************************************/
if (isset($_GET['code'])) {
  $client->authenticate($_GET['code']);
  $_SESSION['access_token'] = $client->getAccessToken();
  $redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
  header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL));
}

/************************************************
  If we have an access token, we can make
  requests, else we generate an authentication URL.
 ************************************************/
if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
  $client->setAccessToken($_SESSION['access_token']);
} else {
  $authUrl = $client->createAuthUrl();
}

/************************************************
  If we're signed in we can go ahead and retrieve
  the ID token, which is part of the bundle of
  data that is exchange in the authenticate step
  - we only need to do a network call if we have
  to retrieve the Google certificate to verify it,
  and that can be cached.
 ************************************************/
if ($client->getAccessToken()) {
  $_SESSION['access_token'] = $client->getAccessToken();
  $token_data = $client->verifyIdToken()->getAttributes();
}

if($client->isAccessTokenExpired()) {
  echo 'Access Token Expired'; // Debug
  $client->authenticate;
  $newAccessToken = json_decode($client->getAccessToken());
  $client->refreshToken($newAccessToken->refresh_token);
}

if (strpos($client_id, "googleusercontent") == false) {
  echo missingClientSecretsWarning();
  exit;
}

if (isset($_REQUEST['login'])) {
    if (isset($authUrl)) {
        header('Location:'.$authUrl);
    } else {
        require_once('func/connect.php');
        $query = "SELECT * FROM users WHERE email = ?";
        $stmt = $db->prepare($query);
        $stmt->bindValue(1, $token_data['payload']['email']);
        $stmt->execute();

        $count = $stmt->rowCount();

        if ($count > 0) {           
            header('Location: index.php');
        } else {
            $plus = new Google_Service_Plus( $client );
            $me = $plus->people->get('me');

            $query = "INSERT INTO users (name,email,role) VALUES(?,?,?)";
            $stmt = $db->prepare($query);
            $stmt->bindValue(1, $me['displayName']);
            $stmt->bindValue(2, $token_data['payload']['email']);
            $stmt->bindValue(3, 'regular');
            $stmt->execute();

            header('Location: index.php');
        }
    }
}

具体在这里

if($client->isAccessTokenExpired()) {
  echo 'Access Token Expired'; // Debug
  $client->authenticate;
  $newAccessToken = json_decode($client->getAccessToken());
  $client->refreshToken($newAccessToken->refresh_token);
}

我的令牌过期后,我无法注销或访问任何网页,因为他们需要有效令牌。

我也无法登录,因为它也需要它!

或者,我可以禁用它吗?

修改

我很抱歉,我很累,并且假设每个人都知道我在说什么。问题是,当访问令牌到期时,我可以取消设置$ _SESSION ['access_token']并强制重新启动在(主要问题)或有一种方式只是刷新/禁用令牌/过期,所以它不会妨碍用户的任何正在进行的进程。

1 个答案:

答案 0 :(得分:1)

我建议您阅读有关OAuth的基本指南,这样您就可以获得一般性的想法。

基本上,服务器和客户端会通过一系列步骤来证明他们是他们所说的人。完成此操作后,服务器将发出短暂的access_tokenrefresh_token

然后,您可以在所有Api请求中使用此access_token。但是这个access_token的生命周期有限。到期后,您必须将refresh_token提供给服务器,然后它会发出另一个access_token

要使用Google Api PHP库执行此操作,请使用此代码

//$client is the GApi Client
if($client->isAccessTokenExpired()) {
    echo 'Access Token Expired'; // Debug
    $client->refreshToken('your_refresh_token');
}