Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Eugene Vdovenko2015-09-09 18:46:37
Zend Framework
Eugene Vdovenko, 2015-09-09 18:46:37

Where and is it worth storing authorization data via OAuth2 and where to get it from for the following requests?

There is an API server running BShaffer OAuth 2 Server ( https://github.com/bshaffer/oauth2-server-php).
And there is a web application that uses the OAuth2 client from the PHP League ( https://github.com/thephpleague/oauth2-client).
The user logs in to the web application using the login/password form. I send it to the oauth2 server, I get access_token, refresh_token, expire back.
Let's say I can save access_token in the session. Well, maybe expire yet. But I don’t really want to store refresh_token there, because it’s not too secure.
Can anyone tell me how to check the correctness of access_token, refresh_token and expire on, for example, the next request to the API? And how to update access_token if you don't store refresh_token? Share experience of implementations, please.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
S
Stalker_RED, 2015-09-09
@Stalker_RED

Store in the database, or ask the user for the password again and again.

Report
M
Maxim Timofeev, 2015-09-09
@webinar

In the database to user data

Report
E
Eugene Vdovenko, 2015-09-09
@Misanthropist

Well, the oauth2 server, of course, can get into the database. But the application has no access to the database. The application has access to localstorage, cookies, and maybe session. Well, theoretically, you can put memcache. And then, I would not really want to tie the application to the backend. Those. in fact, we have to store / retrieve information: local storage, cookies and requests to the API, while the access token is valid.
In order not to ask for a password again and again - I store an access_token in the session. However, any user with this session cookie will have access to the access_token. And if you also store refresh_token in the same place, the user gets access to the API that is not limited in time. Which in general is not very good.

Similar questions
G
Grizmar2014-09-17 18:42:22
Why don't images load when visiting a URL like "localhost/app/2" in Zend Framework 2? 1Reply
B
bahek24627742014-10-28 00:40:57
Resources from DB - BjyAuthorize - Zend Framework 2? 2Reply
C
Cat Anton2014-11-28 14:07:23
How to set allow_empty on a form element using a factory in ZF2? 1Reply
V
Vadim2014-12-10 02:23:45
What to do with JS which is used in View in ZendFramework2? 1Reply
V
Vadim Ivanenko2014-12-14 14:30:39
Why does schema-tool:update try to replace existing foreign keys with its own? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question