What does "offline" access in OAuth mean?
What exactly does the word "offline" mean with regard to the offline access granted by an OAuth server?
Does it mean that the resource server will return data about the user even when the user is logged out of the third-party application or when the user is logged out of the OAuth resource server such as Facebook or Google or Twitter?
Offline access is IMO a really bad name for it, and I think its a term only Google uses its not in the RFC for Oauth as far as I remember.
What is Google off line access?
When you request Offline Access the Google Authentication server returns a Refresh-Token. Refresh tokens give your application the ability to request data on behalf of the user when the user is not present and in front of your application.
Example of an app needing off line access:
Lets say I have a Super Awesome app that downloads your Google Analytics Data makes it into a nice PDF file and emails it to you every morning with your stats. For this to work my application needs to have the ability to access your Google Analytics data when you are not around to give me permission to do that. So Super Awesome app would request offline access and the authentication server would return a refresh token with that refresh token Super awesome app can request a new access token when ever it wants and get your Google Analytics data.
Example of an app not needing off line access
Lets try Less awesome app that lets you upload files to Google Drive. Less awesome app doesn't need to access your Google drive account when your not around. It only needs to access it when your online. So in theory it wouldn't need offline access. but in practice it does, it still gets a refresh token so that it wont have to ask you for permission again, this is where I think the naming is incorrect.
documentation stuff
If a refresh token is present in the authorization code exchange, then it can be used to obtain new access tokens at any time. This is called offline access, because the user does not have to be present at the browser when the application obtains a new access token.
The truth about offline access
The thing is that in a lot of cases the authentication server will return the refresh token to you no matter what you don't have to actually ask for anything it gives it to you. Giving you the ablity to access the users data when they aren't around. Users don't know that you could access there data without them being there. (Its only the javascript library and I think the PHP library that hide the RefreshToken from you but its there)
Example: You can test this with the following instructions Google 3 legged Oauth flow
But just posting
https://accounts.google.com/o/oauth2/token code={AuthCode}&client_id={ClientId}.apps.googleusercontent.com&client_secret={ClientSecret}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code
Response:
{
"access_token" : "ya29.1.AADtN_VSBMC2Ga2lhxsTKjVQ_ROco8VbD6h01aj4PcKHLm6qvHbNtn-_BIzXMw",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/J-3zPA8XR1o_cXebV9sDKn_f5MTqaFhKFxH-3PUPiJ4"
}
I now have off line access to this users data, and I never told them that I would have it.
By design the access tokens returned by the OAuth flow expire after a period of time (1 hour for Google access tokens), as a safety mechanism. This means that any application that wants to work with a user's data needs the user to have recently gone through the OAuth flow, aka be online. Requesting offline access provides the application a refresh token it can use to generate new access tokens, allowing it to access user data long after the data has gone through the OAuth flow, aka when they are offline.
Getting offline access is needed when your application continues to run when the user isn't present. For instance, if there is some nightly batch process, or if your application responds to external events like push notifications. However if you only access user data while the user is actively using your application then there is no need for offline access. Just send the user through the OAuth flow every time you need n access token, and if they've previously granted access to your application the authorization page will instantly close, making the process nearly invisible to the user.
For Google APIs, you can request offline access by including the parameter access_type=offline in the authorization URL you present to your users. Offline access, and hence refresh tokens, is requested automatically when using the Installed Application flow.
链接地址: http://www.djcxy.com/p/47982.html上一篇: 在高层次上,OAuth 2如何工作?
下一篇: OAuth中的“脱机”访问意味着什么?