Is the criteria that the library uses to determine the validity of access token good enough to cover few corner cases???
10 views
Skip to first unread message
karthik reddy
Jun 6, 2011, 9:19:53 PM6/6/11
to gwt-oauth2 users
I was going through the source code and I was wondering if the
following criterion[present within login(AuthRequest req, final
Callback callback) method of Auth .java] is enough(does it cover all
corner cases ??) to determine whether a previously-fetched access
token is still valid or not .
final TokenInfo info = getToken(req);
if (info == null || info.expires == null || expiringSoon(info)) {
doLogin(authUrl, callback);
} else {
scheduler.scheduleDeferred(new ScheduledCommand() {
@Override
public void execute() {
callback.onSuccess(info.accessToken);
}
});
}
The reason I ask that is because I am not sure if the aforementioned
criterion covers for following case:
1)User opens a brand new browser session.
2)User visits TestWebsite.com(TestWebsite.com uses gwt-oauth2 to
interface with facebook)
3)User clicks on, say, the classic fLogin icon, present on
TestWebsite.com and that user action results in the facebook login
window to popup.
4)User enters his/her facebook credentials into the pop up, clicks
"log in" and logs in succesfully to TestWebsite.com using facebook
credentials.
So far so good.
5)Now, the user opens a different tab and visits facebook.com and logs
out of facebook.com by clicking the log out link of facebook.com.
6)The user now switches to the tab with Testwebsite.com and logs out
of Testwebsite.com as well.
7)The user, who is still on Testwebsite.com, clicks on the fLogin
icon.
Now, it seems like gwt-oauth2 is still trying to make use of the
previously fetched access token which is no longer valid because of
the fact that the user has logged out of
facebook.com
following criterion[present within login(AuthRequest req, final
Callback callback) method of Auth .java] is enough(does it cover all
corner cases ??) to determine whether a previously-fetched access
token is still valid or not .
final TokenInfo info = getToken(req);
if (info == null || info.expires == null || expiringSoon(info)) {
doLogin(authUrl, callback);
} else {
scheduler.scheduleDeferred(new ScheduledCommand() {
@Override
public void execute() {
callback.onSuccess(info.accessToken);
}
});
}
The reason I ask that is because I am not sure if the aforementioned
criterion covers for following case:
1)User opens a brand new browser session.
2)User visits TestWebsite.com(TestWebsite.com uses gwt-oauth2 to
interface with facebook)
3)User clicks on, say, the classic fLogin icon, present on
TestWebsite.com and that user action results in the facebook login
window to popup.
4)User enters his/her facebook credentials into the pop up, clicks
"log in" and logs in succesfully to TestWebsite.com using facebook
credentials.
So far so good.
5)Now, the user opens a different tab and visits facebook.com and logs
out of facebook.com by clicking the log out link of facebook.com.
6)The user now switches to the tab with Testwebsite.com and logs out
of Testwebsite.com as well.
7)The user, who is still on Testwebsite.com, clicks on the fLogin
icon.
Now, it seems like gwt-oauth2 is still trying to make use of the
previously fetched access token which is no longer valid because of
the fact that the user has logged out of
facebook.com
Reply all
Reply to author
Forward
0 new messages