如何使用 Laravel 管理 OAuth 刷新令牌?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33988064/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I manage OAuth refresh tokens with Laravel?
提问by user5431713
The Socialiate plugin provides an implementation for OAuth in Laravel, but it seems to be designed for mostly for the purpose of allowing them to not have to make a user account on your own site.
Socialiate 插件为 Laravel 中的 OAuth 提供了一个实现,但它似乎主要是为了让他们不必在您自己的站点上创建用户帐户。
I am making an application that helps manage their Youtube account, meaning the scope of the auth request is broader (which was easy to change) but I also need a refresh token (versus just an access token) for long-term access to their account.
我正在制作一个帮助管理他们的 Youtube 帐户的应用程序,这意味着身份验证请求的范围更广(这很容易更改)但我还需要一个刷新令牌(而不是访问令牌)以长期访问他们的帐户.
Is there a package out there for Laravel that already handles this? I haven't been able to find one, but maybe I'm searching for the wrong thing.
Laravel 有没有已经处理过这个问题的软件包?我一直找不到,但也许我正在寻找错误的东西。
If not, how should I approach this? When I write my code that interacts with Youtube's API, do I simply need to check whether the access token is expired, and if so, write a function that does an HTTP request to get a new one with the refresh token I have stored in the database? And I guess also extend Socialite to retrieve a refresh token?
如果没有,我应该如何处理?当我编写与 Youtube 的 API 交互的代码时,我是否只需要检查访问令牌是否已过期,如果是,则编写一个执行 HTTP 请求的函数,以使用我存储在数据库?而且我想还扩展 Socialite 以检索刷新令牌?
I feel like there's got to be a better way that doesn't involve me re-inventing the wheel.
我觉得必须有一种更好的方法,而不需要我重新发明轮子。
回答by tyteen4a03
It's been a while since this question was last visited, and seeing that it is the first Google result, I'd like to say: This is now possible with Socialite.
自从上次访问这个问题已经有一段时间了,看到这是第一个谷歌结果,我想说:Socialite 现在可以做到这一点。
When you redirect your users to Google, set access_typeto offlinewith the with()method when redirecting, like this:
当您将用户重定向到 Google 时,使用重定向时的方法设置access_type为,如下所示:offlinewith()
return Socialite::driver('google')
->scopes() // For any extra scopes you need, see https://developers.google.com/identity/protocols/googlescopes for a full list; alternatively use constants shipped with Google's PHP Client Library
->with(["access_type" => "offline", "prompt" => "consent select_account"])
->redirect();
This will make Google return a refresh token.
这将使谷歌返回一个刷新令牌。
回答by Brynn Bateman
This is difficult to find information for, partially because of the OAuth2-server package for Laravel to provide its own OAuth solution which is most of the search results.
这很难找到信息,部分原因是 Laravel 的 OAuth2-server 包提供了自己的 OAuth 解决方案,这是大多数搜索结果。
I think the best answer is going to be writing your own YoutubeProvider for Socialite. Here's a tutorial: https://medium.com/laravel-news/adding-auth-providers-to-laravel-socialite-ca0335929e42#.6bn8i2wz4
我认为最好的答案是为 Socialite 编写自己的 YoutubeProvider。这是一个教程:https: //medium.com/laravel-news/adding-auth-providers-to-laravel-socialite-ca0335929e42#.6bn8i2wz4
It will be a pain to change Socialite to start working with refresh tokens, so I think the best route will be for the YoutubeProvider to have an additional call to a new getRefreshToken function at the end of the existing getAccessToken function. Change both the access and refresh tokens to save the retrieved token to the database, because Socialite will not give you the option to access the refresh token to save it in a helper/controller class.
更改 Socialite 以开始使用刷新令牌会很痛苦,所以我认为最好的方法是让 YoutubeProvider 在现有 getAccessToken 函数的末尾额外调用一个新的 getRefreshToken 函数。更改访问令牌和刷新令牌以将检索到的令牌保存到数据库中,因为 Socialite 不会为您提供访问刷新令牌以将其保存在帮助器/控制器类中的选项。
Create a Tokens model and database table, and store both access and refresh tokens in there with a relationship to a User model.
创建令牌模型和数据库表,并将访问令牌和刷新令牌存储在其中,并与用户模型建立关系。
When you write your YoutubeService helper, it will need to be able to attempt an API call with an access token and know to refresh it with the refresh token if it receives the error message that it's expired/invalid.
当您编写 YoutubeService 助手时,它需要能够尝试使用访问令牌进行 API 调用,并知道如果它收到它已过期/无效的错误消息,就使用刷新令牌对其进行刷新。
The Google's API library for PHP seems to handle this automatically with $client->setAccessType("offline"): https://developers.google.com/api-client-library/php/auth/web-app
用于 PHP 的 Google API 库似乎可以通过以下方式自动处理$client->setAccessType("offline"):https: //developers.google.com/api-client-library/php/auth/web-app
but as soon as you start needing refresh tokens for something other than Google, you'll be writing that code anyway if the new provider doesn't also have a library. On the upside, this library has a Service specifically for Youtube, so it should handle all the API calls to Youtube that you may need. I am not sure entirely how using this library will mesh with Socialite, since Socialite seems to already do a lot of what this library does. You might wind up making some sort of redundant authorization within your YoutubeService class unless you really want to start customizing things.
但是,一旦您开始需要 Google 以外的其他东西的刷新令牌,如果新的提供程序也没有库,您无论如何都会编写该代码。从好的方面来说,这个库有一个专门针对 Youtube 的服务,所以它应该处理你可能需要的对 Youtube 的所有 API 调用。我不完全确定使用这个库将如何与 Socialite 融合,因为 Socialite 似乎已经做了这个库所做的很多事情。除非您真的想开始自定义内容,否则您可能会在 YoutubeService 类中进行某种冗余授权。
It might be worth considering removing Socialite from the equation entirely and using Google's library when it comes to their services.
可能值得考虑完全从等式中删除 Socialite 并在涉及其服务时使用 Google 的库。
