Refresh Token ([OT]--a demo followed)

[hupili]

I just checked the data structure returned by QQ and Renren (*.save files). The two platforms have refresh_token in it. It's better to refresh the access_key when it's near timeout. Then we don't have to prompt user's browser every time. I'm not sure whether the SP really implement the function of refresh. Check it out later.

Sina is the big brother... One day timeout; no refresh_token returned....

@uxian

[daimajia]

I commited a simpler weibo-test. https://github.com/xuanqinanhai/snsapi/blob/master/simple-weibo-test.py
and I checked save file

[
  {
    "platform": "SinaWeiboStatus", 
    "text_length_limit": 140, 
    "user_id": "", 
    "channel_name": "test_weibo", 
    "auth_info": {
      "save_token_file": "(default)", 
      "callback_url": "https://snsapi.ie.cuhk.edu.hk/aux/auth.php", 
      "cmd_fetch_code": "(default)", 
      "cmd_request_url": "(default)"
    }, 
    "app_secret": "96bcc1e00268d7e415c32212b3e197fb", 
    "open": "yes", 
    "app_key": "3644324674"
  }
]

and also checked a detail timeout document in weibo auth document
"How to calculate overdue time?" Chinese :access_token自动延续方案
I think we can add a auth time (when authed?) to json saved file and using auth level query to know how long the token will be useless.
save two times ( when authed ? and how long it can be last ) to json file. Judge if open browser when a new behavior(which needs to using token) called.

ps:I added something in talk page,waiting for your reply.

[hupili]

Hi,

For the demo test script:

• The test file is good. Welcome any simpler demonstrations. Don't hesitate to share with others who may still be struggling... We can locate it to "app/hellosns", where there are some other samples (or put in wikis).
• For this line "and did not provide a app_secret and app_key", I do not quite understand. Do you mean the new_channel method do not return the two fields?
• The above file you show is the channel.json. The saved access keys are in a ".save" file by default (you can change the path by adding a field in nc struct ( or modify channel.json). You can find the expire time in the ".save" file.

For the access_token refresh matter:

• When we say refresh_token, it means the mechanism of refreshing access_token without user intervention. You use the refresh_token to obtain a new access_token. This is in OAuth. Many oversea providers implement them. However, most mainland service providers do not implement. The way described in "access_token自动延续方案" section of that document is indeed asking you to re-authorize.
• This issue is slightly old... At that time 1 day expiration is too restrictive for real use. Two months after posting it, Sina extends the expire time to be 5 years for developers. Others: renren -- 30 days; tencent -- 7 days. Twitter even give developers a permanent access_key. Then it seems this expiration time is tolerable....
• The logic of checking for expiration of key is implemented using the decorator @require_authed. Current action is to stop a @require_authed-ed method if access_key expires, but not to automatically trigger re-authorization. Since re-authorization needs users to browse the link, it will block if users are not there. In the app of sns-router, we provide a config panel from which users can manually refresh tokens.
• Renren and TencentWeibo have refresh_token, you can check the corresponding "*.save" file. It will be good if refresh (without user intervention) is implemented. I haven't tried whether they really let you refresh.

[daimajia]

• about app_secret and app_key : I viewed your tutorial, I found your app just give nc["app_secret"] = "YOU_APP_SECRET_KEY" did not provide an usable KEY and Secret . So I... and I notice that the test files in test folder doesn't work at all (although it's been explained in markdown file ), I still think the test folder is a kind of confusing existence... How about redesign the tests , delete it or move it into dev version.
• about "*save" file : I didn't notice save file before... So sorry~
• about fresh_token : I remember Sina doesn't support refresh_token... and I don't quite understand it will block if users are not there. . Why we can't open browser to get auth again? Could your give me some more detail description?

[hupili]

Sorry for the confusion of "tests" folder. It is the unit test of snsapi, which is intended to be run by developers. For union tests, one needs to operate in snscli or write the scripts like the above one. As to the Key you hardcode in the script, I will add some details later. All the OSNs we currently touch do not allow other users to authorize test stage Apps, e.g. only the developer can authorize it. In this case, everyone needs to register as a developer first and apply their own key. If you really want to lower the barrier of first trial, you need to supply a key pair of formal application (passing certain audit process.... it's annoying... #11 ).

[hupili]

The reason for not automatically trigger re-authorization is because we have different use cases. If you tap into the auth code of snsbase you will find that we support several methods to accomplish 1st and 2nd stage of authorization. By default, assuming you are using it on your desktop, we prompt the browser and fetch the code by a lightweight HTTP server in the backend. In other situations, you don't have such environment. For example, the demo of clock. It is intended to run on a server (maybe you can only touch it through a terminal). So we use "console_output" and "console_input" to request URL / collect code. If refresh_token is effect, we can refreshing access_token for this platform automatically in the SNSAPI layer. Otherwise, I think it will be better to let the App layer decide how to proceed. e.g. they can call is_expired() to check and trigger re-authorization using auth().

[hupili]

This thread is off-topic. The title is modified for future search.

The demand of support of refresh_token is quite low now:

• Major platforms have very long expiration time. Enough for the convenient use of app owner (the common use case of SNSAPI). See apply app key page for the expiration time.
• refresh token is not implemented by all platforms (have not done a thorough survey; may not reflect the situation now).
• Support of local username/password finally eliminate the demand. Support of local username/password auth #77