OAuth grant flow - tokens expiration

为君一笑 提交于 2019-12-01 09:07:11
vibronet

Answers:

  1. few minutes. The exact value is an implementation detail and can change at any moment. You should do whatever you can to redeem the code as soon as you get it.
  2. see http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/
  3. as of today the lifetime limits cannot be changed. We are working on features that will grant you more control, but we have no ETA to share at the moment

The only way of guaranteeing that a user is signed in is to successfully redeem a refresh token, or to go through an authentication flow. Use of cached credentials is restricted to very few cases, and will likely be disallowed in upcoming versions of the service.

If a refresh token expires, you should plan to perform an interactive authentication. Note that the refresh token might also be invalidated by a consent revocation, which will mandate interactivity in all cases.

What you can do is to obtain the refresh_token and the access_token. Access what you need via the access_token, if that fails then assume it has expired and use the refresh_token to update the access_token. If a user changes their password (or maybe there are other cases) then you start the user over from square one.

To get the refresh_token I think you need to add offline_access to your scope. Something like this:

USER_OAUTH2_AUTHORIZE_URL
    + "?client_id=" + config.getClientId()
    + "&redirect_uri=" + getOutlookLoginRedirect(request)
    + "&response_type=code"
    + "&scope=https%3A%2F%2Foutlook.office.com%2Fmail.send%20" +
             "https%3A%2F%2Foutlook.office.com%2Fmail.readwrite%20" + 
             "offline_access%20openid%20email%20profile"
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!