Howto test if an OAuth2 token is valid
Davy De Waele
Marius Scurtescu
See comments below...
On Sun, Aug 7, 2011 at 10:34 PM, Davy De Waele <ddew...@gmail.com> wrote:
> Hi,
> I have some logic in my application to check if a user has already
> authorized my application to access his data.
> For that, I'm retrieving his Oauth2 token, and I'm doing an actual API call
> (using an API that was scoped for the OAuth token).
What flow are you using to retrieve the OAuth 2 token? Are you
retrieving both a refresh token and an access token?
> If the API call works, I consider the token to be valid.
> If the API call fails, I consider the token to be invalid, and guide the
> user through the Oauth flow.
Sort of. You have to check the HTTP status code you get back on the
failed API call. If it is 401 then most likely the token expired. For
any other code there is some other problem with the call.
> Is there another way to verify if the token is still valid without
> performing an actual API call ?
When the token is issued you also receive a hint with expires_in, you
can use that to track the approximate time when the token will expire.
Marius
Davy De Waele
Marius Scurtescu
See comments below...
On Mon, Aug 8, 2011 at 10:21 AM, Davy De Waele <ddew...@gmail.com> wrote:
> Hi,
> I'm using a lot of Google APIs (Buzz, Fusion Tables, Latitude,...) all using
> Oauth 2.0.
> Flows are working fine.
> Just thought if there was some built-in function (an isValid() or something)
> you could call on a token without actually performing a "dummy" API call.
No, these tokens cannot be statically validated. You have to place an
API call to know. Also, keep in mind that end users can revoke them.
Marius