Login   Register  
PHP Classes
elePHPant
Icontem

Refresh token

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us

      PHP OAuth API  >  All threads  >  Refresh token  >  (Un) Subscribe thread alerts  
Subject:Refresh token
Summary:Implementation of refresh token workflow
Messages:10
Author:Ariel Barreiro
Date:2012-11-29 23:10:03
Update:2013-03-15 08:32:32
 

  1. Refresh token   Reply  
Picture of Ariel Barreiro
Ariel Barreiro
2012-11-29 23:10:03
Do you think it's too hard to implement the refresh token workflow within the class?

  2. Re: Refresh token   Reply  
Picture of Manuel Lemos
Manuel Lemos
2012-11-30 04:18:47 - In reply to message 1 from Ariel Barreiro
No, it would not be hard.

I did not see any OAuth server issuing refresh tokens either. Which servers you know that issue refresh tokens?

  3. Re: Refresh token   Reply  
Picture of Stuart Laverick
Stuart Laverick
2012-12-12 19:53:13 - In reply to message 2 from Manuel Lemos
Hello Manuel,
Googles API OAuth server uses refresh tokens:
https://developers.google.com/accounts/docs/OAuth2WebServer# ...
Without wanting to hack the class, how would you recommend we capture the returned refresh token?
I can see how to add the access_type=offline to the url between the Initialize call and the Process call, but the Process function does not capture the refresh_token parameter returned from the server, so I cannot store it via my overloaded StoreAccessToken.
Any help appreciated, thanks.

  4. Re: Refresh token   Reply  
Picture of Manuel Lemos
Manuel Lemos
2012-12-12 23:04:21 - In reply to message 3 from Stuart Laverick
I may need to study this further but the way I see it, refresh tokens are for when the current token expires. So a check could be placed before the next API call and attempt to get a new token.

The new token replaces the old one, so I do not follow why do you think StoreAccessToken would be an appropriate way to update a refreshed token.

Just keep in mind that since tokens are meant to be used for offline access, using the default storage that relies in sessions, is not a good solution to store tokens because when the user is not present the sessions do not exist.

  5. Re: Refresh token   Reply  
Picture of Stuart Laverick
Stuart Laverick
2012-12-13 10:43:47 - In reply to message 4 from Manuel Lemos
I have over loaded the StoreAccessToken and GetAccessToken so they both store to the DB locally.
For offline access the Google tokens are short lived (3920 seconds) and will require a new authentication if left to expire.
My plan is to store the refresh token and before each API call to check the expiry on the stored access token, if too old, then use the refresh token to get a new access token.
My only problem is getting and storing the refresh token, as it is passed back as part of the authentication process if access_type=offline is passed in the request. However your class does not pass this through to StoreAccessToken, so I cannot get it to store for later use.

  6. Re: Refresh token   Reply  
Picture of Manuel Lemos
Manuel Lemos
2012-12-20 04:17:33 - In reply to message 5 from Stuart Laverick
I have not studied this in depth because I did not yet had the time, but the way I see it to get also a refresh token is just a matter of adjusting the dialog URL to include the access_type=offline parameter.

If a refresh token is returned by the server, the class would pass it to the StoreAccessToken function.

  7. Re: Refresh token   Reply  
Picture of Steve Penn
Steve Penn
2013-02-12 14:13:24 - In reply to message 6 from Manuel Lemos
Within Box the reply is sent back with the standard response so it is just a case of within the class just inserting

line 1170 - 1173

$access_token = array(
'value'=>$this->access_token = $response['access_token'],
'refresh_token' => $this->refresh_token = $response['refresh_token'],
'authorized'=>true
);

Then just use CallAPI to get a new access token, but I've been looking into google (as my other post) and I'm not sure where I could change this class to set the new parameters, I know which need to be set but seeing them is a different issue :P.

if you could give me the line which first calls the api (after initialisation) then it would be simples :P (just a case of editing the URL parameters (as stated above =])).

  8. Re: Refresh token   Reply  
Picture of Steve Penn
Steve Penn
2013-02-12 14:18:26 - In reply to message 7 from Steve Penn
sorry the lines were 1771 - 1773 (my bad)

  9. Re: Refresh token   Reply  
Picture of Steve Penn
Steve Penn
2013-02-14 12:02:16 - In reply to message 8 from Steve Penn
on line 1315 replace that line with this:

$this->dialog_url = 'https://accounts.google.com/o/oauth2/auth?response_type=code&client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&scope={SCOPE}&state={STATE}&access_type=offline&approval_prompt=auto';

The approval prompt will work as is first time but if you do not save it it will try and make a new access token without offline access if this happens replace 'auto' with 'force' and it will take you back to the approval page.

to gather the refresh token refer to my post above (may be out by 3 or 4 lines because i added the box functionality to the class previously)

i'm not sure where to go from here though, Thank you for this wonderful class =] it has already helped me heaps and bounds and now I just need to get files via Drive (i am lost with that XD) but thanks again =]

  10. Re: Refresh token   Reply  
Picture of Manuel Lemos
Manuel Lemos
2013-03-15 08:32:32 - In reply to message 5 from Stuart Laverick
OK, I have added support for refresh tokens. The class calls GetAccessToken from the CallAPI function if the access_token variable is not set.

If the token expired, the CallAPI function attempts to obtain a new token. Then it calls StoreAccessToken to store the new access_token value.

Note that these functions must store and retrieve a new entry in the access token array named 'refresh_token', so the class can use it to refresh the token when it expires.

It is working with either Google and Box.net.