when the token expires, the general way to handle it is to jump to the login page.
but oauth2
defines how to update tokens, and you can use other implementations yourself.
token (access token)
Expiration 1 timeout
within the old refresh token (refresh token)
to obtain a new token, in order to achieve the purpose of continuing a timeout period. If there is more than 1 timeout period (that is, there is no access within 1 timeout), it is a real timeout and you need to log in again. This unexpected user stays
understand OAuth 2.0
first of all, this should not happen.
what I did before:
if it is a website: when a user opens a web page, if the token does not expire, make sure that the token does not expire before shutting down the page.
if an app: user opens app for a time, if the token does not expire, make sure that the token does not expire before shutting down app.
this problem is quite common. For example, I leave this window open for a long time, and then it expires.
is also easy to solve:
scenario 1: if a user stays for a long time and exceeds the maximum valid time of a token, there is no solution to
scenario 2: if the validity time of token
is 3 days, then no matter when the user enters the room again, refresh the validity time of token
. For example, if you log in today and log in again the next day, you will actually have another three days to log in again the next day, or simply replace token
, and it's all over. In this way, scenario one can only be operated on the page that has been on the page for three days.
conclusion: users verify the old token
every time they enter for the first time. If it is invalid, log in first, and refresh token
if it is valid, whether it is the validity time of token
or the value of token
.
stay active, for example, visit an interface from time to time. In such an active state, it will definitely not expire.
the safest way to get token
token refresh every time you enter the program will bring the old token invalidation problem and bring bad experience to users. Fault-tolerant mechanism: after 5min (custom) detects expired token, users're-authorization to refresh token, the old token should still be valid 5min.