本頁面由 Cloud Translation API 翻譯而成。

取消帳戶連結

透過平台或 Google 可能會取消連結，並顯示一致的連結狀態以提供最佳使用者體驗。雖然 Google 帳戶連結不支援憑證撤銷端點或跨帳戶防護功能，

您可以透過下列方式取消連結帳戶：

使用者向
- Google 應用程式或 Google 帳戶設定
- 您的平台
無法更新過期的更新權杖
您或 Google 發起的其他事件。例如濫用與威脅偵測服務將帳戶停權。

使用者要求與 Google 取消連結

透過使用者 Google 帳戶或應用程式取消連結的帳戶，會刪除先前核發的所有存取權和更新權杖、移除使用者同意聲明，並視需要選擇呼叫權杖撤銷端點。

使用者要求與平台取消連結

您應提供讓使用者取消連結的機制，例如帳戶的網址。如果您未提供使用者取消連結的方式，請加入 Google 帳戶連結，方便使用者管理已連結帳戶。

您可以選擇導入 Risk & Eventident and Collaborative (RISC)，然後通知 Google 使用者帳戶連結狀態的變更。如此一來，平台和 Google 就能顯示一致的一致連結狀態，不需要依賴重新整理或存取權杖要求來更新連結狀態，進而改善使用者體驗。

權杖到期時間

為了提供順暢的使用者體驗，並避免服務中斷，Google 會嘗試在生命週期結束時更新續約權杖。在某些情境下，如果使用者的有效重新整理權杖無效，系統可能會要求使用者重新連結帳戶。

將平台設計為支援多個未過期的存取和更新權杖，可以盡可能降低叢集環境中用戶端伺服器交換作業中的競爭狀況、避免使用者中斷的情況，並將複雜的時間與錯誤處理情境降到最低。雖然最終一致，但先前和新核發的未過期權杖在用戶端與伺服器權杖更新交換期間以及叢集同步處理之前，可能會短暫使用一段時間。舉例來說，向使用先前未過期存取權杖之服務向 Google 發出的要求，會在您發出新的存取權杖後執行，但鄰近的接收位置和叢集同步處理才會在 Google 完成。建議您改用重新整理權杖輪替的其他安全性措施。

其他事件

可能會因為各種其他因素 (例如閒置、暫停、惡意行為等) 而取消連結帳戶。在這類情況下，您的平台和 Google 可以最佳通知使用者帳戶和連結狀態的異動，進而管理使用者帳戶並重新連結。

實作權杖撤銷端點，以便 Google 呼叫服務，並使用 RISC 通知權杖權杖撤銷事件，以確保您的平台和 Google 能維持一致的使用者帳戶連結狀態。

權杖撤銷端點

If you support an OAuth 2.0 token revocation endpoint, your platform can receive notifications from Google. This lets you inform users of link state changes, invalidate a token, and cleanup security credentials and authorization grants.

The request has the following form:

POST /revoke HTTP/1.1
Host: oauth2.example.com
Content-Type: application/x-www-form-urlencoded

client_id=GOOGLE_CLIENT_ID&client_secret=GOOGLE_CLIENT_SECRET&token=TOKEN&token_type_hint=refresh_token

Your token revocation endpoint must be able to handle the following parameters:

Revocation endpoint parameters
`client_id`	A string that identifies the request origin as Google. This string must be registered within your system as Google's unique identifier.
`client_secret`	A secret string that you registered with Google for your service.
`token`	The token to be revoked.
`token_type_hint`	(Optional) The type of token being revoked, either an `access_token` or `refresh_token`. If unspecified, defaults to `access_token`.

Return a response when the token is deleted or invalid. See the following for an example:

HTTP/1.1 200 Success
Content-Type: application/json;charset=UTF-8

If the token can't be deleted for any reason, return a 503 response code, as shown in the following example:

HTTP/1.1 503 Service Unavailable
Content-Type: application/json;charset=UTF-8
Retry-After: HTTP-date / delay-seconds

Google retries the request later or as requested by Retry-After.

跨帳戶防護功能 (RISC)

If you support Cross-Account Protection, your platform can notify Google when access or refresh tokens are revoked. This allows Google to inform users of link state changes, invalidate the token, cleanup security credentials, and authorization grants.

Cross-Account Protection is based on the RISC standard developed at the OpenID Foundation.

A Security Event Token is used to notify Google of token revocation.

When decoded, a token revocation event looks like the following example:

{
  "iss":"http://risc.example.com",
  "iat":1521068887,
  "aud":"google_account_linking",
  "jti":"101942095",
  "toe": "1508184602",
  "events": {
    "https://schemas.openid.net/secevent/oauth/event-type/token-revoked":{
      "subject_type": "oauth_token",
      "token_type": "refresh_token",
      "token_identifier_alg": "hash_SHA512_double",
      "token": "double SHA-512 hash value of token"
    }
  }
}

Security Event Tokens that you use to notify Google of token revocation events must conform to the requirements in the following table:

Token revocation events

iss Issuer Claim: This is a URL which you host, and it's shared with Google during registration.

aud Audience Claim: This identifies Google as the JWT recipient. It must be set to google_account_linking.

jti JWT ID Claim: This is a unique ID that you generate for every security event token.

iat Issued At Claim: This is a NumericDate value that represents the time when this security event token was created.

toe Time of Event Claim: This is an optional NumericDate value that represents the time at which the token was revoked.

exp Expiration Time Claim: Do not include this field, as the event resulting in this notification has already taken place.

events

Security Events Claim: This is a JSON object, and must include only a single token revocation event.
`subject_type`	This must be set to `oauth_token`.
`token_type`	This is the type of token being revoked, either `access_token` or `refresh_token`.
`token_identifier_alg`	This is the algorithm used to encode the token, and it must be `hash_SHA512_double`.
`token`	This is the ID of the revoked token.

For more information on field types and formats, see JSON Web Token (JWT).