问题
I am building a chrome extension. I used chrome.identity.getAuthToken to get the access_token. This provided me the access_token at the client side ( browser ) . Now I want to pass this access_token to my server. I want to have offline access to granted APIs, I understand that for this I have to exchange it with the long-live-token and refresh token. Is there a secure way to pass access_token to server? Or should I use htttp post?
Another way is to redirect the user to server to have both the flow there.
What is the best and most secure practice ?
回答1:
I think sever side flow is best to obtain refresh_token using authorization_code flow.
Using the client side flow you cannot request refresh token , Google will reject that request With the message access_type offline, not allowed for response type token
Once you obtain the access token and refresh token securely in server you could send that to chrome extension , so extension doesn't have to do any extra process in maintaining token, once the token is expired you could request the server for new access token, then server will use the refresh token to refresh the access token and send back to the extension
来源:https://stackoverflow.com/questions/36677386/chrome-extension-needs-offline-access-from-server-side