下面是The OAuth 2.0 Authorization Framework中关于refresh_token的规定,注意黑体部分:
Refresh tokens are credentials used to obtain access tokens. Refreshtokens are issued to the client by the authorization server and areused to obtain a new access token when the current access tokenbecomes invalid or expires, or to obtain additional access tokenswith identical or narrower scope (access tokens may have a shorterlifetime and fewer permissions than authorized by the resourceowner). Issuing a refresh token is optional at the discretion of the authorization server.If the authorization server issues a refreshtoken, it is included when issuing an access token (i.e. step (D) inFigure 1).
单独拿新浪来说,其token有效期与应用的授权级别有关:
授权级别 测试 普通 中级 高级 合作
授权有效期 1天 7天 15天 30天 90天
并且新浪有一个access_token授权自动延期方案:
如果用户在授权有效期内重新打开授权页授权(如果此时用户有微博登录状态,这个页面将一闪而过),那么新浪会为开发者自动延长access_token的生命周期,请开发者维护新授权后得access_token值。
相关链接:
The OAuth 2.0 Authorization Framework http://tools.ietf.org/html/draft-ietf...
新浪授权机制说明 http://open.weibo.com/wiki/%E6%8E%88%...