|
|
 sootsnoot - 2015-04-18 18:18:10 Ignoring the issue with not being able to get openid_id, I have an issue/question about this scenario:
First time around, the consent screen is displayed, and the user gives consent.
Some time later, the user goes to their google account security permissions page, and revokes the application's access.
Then they attempt to use google login again. What happens is that the class produces an "invalid_token" error with description "Invalid Credentials". But they actually do want to re-enable login with google. They don't get the consent screen, and there's no way to reenable it directly from google's permissions page. So what I'm currently doing is to call ResetActionToken and redirect to the action routine that created the oauth_client_class.
Can that cause a loop? I.e. is there any way to get the invalid_token error if the OAUTH values have been cleared from the session? It seems to me that logically that shouldn't happen.
So for now, in my version of login_with_google, if $success is false I do the following. Does this seem reasonable?
if (false !== strpos($client->error, 'access_denied')) {
$this->_helper->getHelper('FlashMessenger')->addMessage('Application was denied permission to access Google account information');
}
elseif (false !== strpos($client->error, 'invalid_token')) {
// This "should" allow the consent screen to be displayed again
$this->_helper->getHelper('FlashMessenger')->addMessage('Looks like the google user had revoked access by this application, so we asked if you want to change your mind');
$client->ResetAccessToken();
$dest = '/default/user/' . substr($action, 0, strpos($action, 'Action'));
return $this->_redirect($dest);
}
else {
$this->_helper->getHelper('FlashMessenger')->addMessage('Login with Google failed for an unknown reason at ' . gmdate("M d Y H:i:s") . '. Please contact us with this exact/complete message text, using the Contact Us form');
}
return $this->_redirect("/default/user/failure");
}
 Manuel Lemos - 2015-04-19 02:37:02 - In reply to message 1 from sootsnootYes, as explained in this article, if a token is revoked in general you only know after you try it and it fails.
Some API may provide calls to check if a token is still valid. I do not know any Google API calls to do that.
phpclasses.org/blog/package/7700/po ...
sootsnoot - 2015-04-19 02:59:34 - In reply to message 2 from Manuel LemosThanks very much, that article was quite helpful. I think your class is a major simplification for many users, certainly for me, by unifying the processing for so many different identity providers. But as you note in the article, the protocol is not simple, and there are a lot of different cases that need to be handled. And exactly what those cases are and how you detect them still do depend to a certain extent on the particular provider. So for Google I guess I need to study their documentation for error messages, and make a decision about how to handle each one.
Thanks!
Manuel Lemos - 2015-04-19 03:19:58 - In reply to message 3 from sootsnootYes, you need to take care of the case that the token is no longer valid for some reason, but as good defensive programming practice advises, you need to do something sensible in all other cases that you are not expecting because API change over time and you cannot anticipate how.
Here is an article of defensive programming:
phpclasses.org/blog/post/65-8-defen ...
Also regarding APIs that change, here is another article that talks about that:
phpclasses.org/blog/post/273-5-Urge ... |
