Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google Oauth 2.0 check if my referesh access token is expired or not

Hi i am setting offline access when user tries to login with google Oauth 2.0 and then i am getting refresh token and storing it into my database so that i can user it later on without asking for user to login again and i have found out that user can revoke our application access from his google apps from his google account and after that our refresh access token will not work.

So is their a way we can check if our refresh token is valid or not before using it i have tried to found out from google api docs but could not find any help i can only find that we can check expire time of simple access token which is valid for only 1 h.

 if($client->isAccessTokenExpired())

but i want to check my refresh token is their a way we can check it or does google outh 2.0 has some web hook which can call our url when user has revoke our application access .

here is my code for login

$google_redirect_url = $url;    
$client = new \Google_Client(); 
$client->setAuthConfig('/secret.json');
$client->setRedirectUri($google_redirect_url);
$client->setAccessType('offline');        // offline access
$client->setIncludeGrantedScopes(true);   // incremental auth          
$client->setApprovalPrompt('force');
$client->setScopes(array(
            'https://www.googleapis.com/auth/plus.me',
            'https://www.googleapis.com/auth/userinfo.email',
            'https://www.googleapis.com/auth/userinfo.profile',
            'https://www.googleapis.com/auth/youtube',
            'https://www.googleapis.com/auth/youtube.upload'
        )); 

i have also been searching for solution but could not found it.

like image 613
Muhammad Usama Mashkoor Avatar asked Mar 08 '23 16:03

Muhammad Usama Mashkoor


1 Answers

You need to consider what you are going to do here. You want to send a request to Google before you attempt to refresh the access token asking if its ok to use this refresh token. Then if Google says its ok your going to then Use your refresh token.

While this may seam like a good idea in theory, after all we all like to avoid errors. However what you are doing is doubling the number of requests you are making simply to avoid an error, if the refresh token is not working. Why would you want to double the number of requests you are making?

What you should do is simply attempt use the Refresh Token, if it fails ask the user for access again. Assuming this is running automated just delete the refresh token from your database and no longer try and automatically run this users requests.

That being said the best way and only method google gives us to validate a refresh token is to try and use it. Any method you find in your library is probably just doing that.

like image 175
DaImTo Avatar answered Mar 10 '23 10:03

DaImTo