On 07/30/2013 05:47 PM, Patrick Ohly wrote:
> So the application should:
> - request a token and try to use it
> - in case of failure try to request a token again, and try to use it
> again (in case the first token has expired just before using it)
> - if the second token also fails, request a third token with full
> re-authentication as above.
> - if that fails, then give up.
If obtaining a token fails, should the app try with
GSIGNOND_UI_POLICY_REQUEST_PASSWORD if it hasn't already done that? Or
is any kind of failure to obtain a token considered fatal?
Yes: the plugin tries various ways to obtain the token (first from token
cache, then via refresh token if it's available, then with full user
authentication). If all of them fail, then the full user authentication
has already been attempted, and there's no point in trying again.
Also, after giving it some thought, I think that forcing the use of
refresh token can make sense in case of flaky servers or clock drift. So
I'll add that capability to the plugin, and the proper sequence will
look like this:
- request a token and try to use it
- if it's rejected, request a token again, with a flag that forces the
use of refresh token
- if the second token is also rejected, enable
GSIGNOND_UI_POLICY_REQUEST_PASSWORD and try for the last time.