本頁面由 Cloud Translation API 翻譯而成。

取消帳戶連結
透過集合功能整理內容你可以依據偏好儲存及分類內容。

您可以從您的平台或 Google 啟動取消連結程序，並讓兩者的連結狀態一致，以便提供最佳使用者體驗。您可以選擇支援 Google 帳戶連結的權杖撤銷端點或跨帳戶防護功能。

帳戶遭到下列任一操作取消連結：

來自
- Google 應用程式或 Google 帳戶設定
- 你的平台
無法續購過期的更新權杖
由您或 Google 啟動的其他事件。例如濫用行為和威脅偵測服務導致帳戶遭到停權。

使用者要求取消與 Google 的連結

透過使用者的 Google 帳戶或應用程式啟動的帳戶取消連結作業會刪除先前核發的存取權和重新整理權杖，並移除使用者同意聲明，如果您選擇實作權杖撤銷端點，系統會視需要呼叫該端點。

使用者要求取消連結平台

您應提供使用者解除連結的機制，例如帳戶網址。如果您沒有提供使用者取消連結的方式，請附上 Google 帳戶的連結，方便使用者管理已連結的帳戶。

您可以選擇實施風險與事件分享和合作 (RISC)，並通知 Google 使用者帳戶連結狀態的變更。這樣一來，平台和 Google 都會顯示目前一致的連結狀態，不必透過重新整理或存取權杖要求更新連結狀態，就能提供更優質的使用者體驗。

權杖到期

為了提供流暢的使用者體驗，並避免服務中斷，Google 會在重新整理權杖的效期結束前，嘗試重新整理權杖。在某些情況下，如果無法取得有效的重新整理權杖，可能需要使用者同意才能重新連結帳戶。

設計平台時，如果能支援多個未過期的存取權和重新整理權杖，就能盡量減少叢集環境中用戶端-伺服器交換作業出現的競爭狀態，避免使用者中斷，並盡量減少複雜的時間和錯誤處理情況。雖然最終會達到一致性，但在用戶端-伺服器權杖續約交換期間，以及叢集同步處理前，先前和新發出的未過期權杖可能會在短時間內使用。舉例來說，Google 向您的服務發出要求時，如果使用先前未過期的存取權杖，且在 Google 收到並進行叢集同步之前，建議您採用其他安全性措施來輪替重新整理權杖。

其他事件

帳戶可能會因其他原因而解除連結，例如帳戶閒置、遭到停權、惡意行為等等。在這種情況下，您的平台和 Google 可以透過通知彼此帳戶和連結狀態的變更，妥善管理使用者帳戶並重新連結。

實作權杖撤銷端點供 Google 呼叫，並使用 RISC 通知 Google 您的權杖撤銷事件，確保您的平台和 Google 維持一致的使用者帳戶連結狀態。

符記撤銷端點

If you support an OAuth 2.0 token revocation endpoint, your platform can receive notifications from Google. This lets you inform users of link state changes, invalidate a token, and cleanup security credentials and authorization grants.

The request has the following form:

POST /revoke HTTP/1.1
Host: oauth2.example.com
Content-Type: application/x-www-form-urlencoded

client_id=GOOGLE_CLIENT_ID&client_secret=GOOGLE_CLIENT_SECRET&token=TOKEN&token_type_hint=refresh_token

Your token revocation endpoint must be able to handle the following parameters:

Revocation endpoint parameters
`client_id`	A string that identifies the request origin as Google. This string must be registered within your system as Google's unique identifier.
`client_secret`	A secret string that you registered with Google for your service.
`token`	The token to be revoked.
`token_type_hint`	(Optional) The type of token being revoked, either an `access_token` or `refresh_token`. If unspecified, defaults to `access_token`.

Return a response when the token is deleted or invalid. See the following for an example:

HTTP/1.1 200 Success
Content-Type: application/json;charset=UTF-8

If the token can't be deleted for any reason, return a 503 response code, as shown in the following example:

HTTP/1.1 503 Service Unavailable
Content-Type: application/json;charset=UTF-8
Retry-After: HTTP-date / delay-seconds

Google retries the request later or as requested by Retry-After.

跨帳戶防護 (RISC)

If you support Cross-Account Protection, your platform can notify Google when access or refresh tokens are revoked. This allows Google to inform users of link state changes, invalidate the token, cleanup security credentials, and authorization grants.

Cross-Account Protection is based on the RISC standard developed at the OpenID Foundation.

A Security Event Token is used to notify Google of token revocation.

When decoded, a token revocation event looks like the following example:

{
  "iss":"http://risc.example.com",
  "iat":1521068887,
  "aud":"google_account_linking",
  "jti":"101942095",
  "toe": "1508184602",
  "events": {
    "https://schemas.openid.net/secevent/oauth/event-type/token-revoked":{
      "subject_type": "oauth_token",
      "token_type": "refresh_token",
      "token_identifier_alg": "hash_SHA512_double",
      "token": "double SHA-512 hash value of token"
    }
  }
}

Security Event Tokens that you use to notify Google of token revocation events must conform to the requirements in the following table:

Token revocation events

iss Issuer Claim: This is a URL which you host, and it's shared with Google during registration.

aud Audience Claim: This identifies Google as the JWT recipient. It must be set to google_account_linking.

jti JWT ID Claim: This is a unique ID that you generate for every security event token.

iat Issued At Claim: This is a NumericDate value that represents the time when this security event token was created.

toe Time of Event Claim: This is an optional NumericDate value that represents the time at which the token was revoked.

exp Expiration Time Claim: Do not include this field, as the event resulting in this notification has already taken place.

events

Security Events Claim: This is a JSON object, and must include only a single token revocation event.
`subject_type`	This must be set to `oauth_token`.
`token_type`	This is the type of token being revoked, either `access_token` or `refresh_token`.
`token_identifier_alg`	This is the algorithm used to encode the token, and it must be `hash_SHA512_double`.
`token`	This is the ID of the revoked token.

For more information on field types and formats, see JSON Web Token (JWT).