Answer the question
In order to leave comments, you need to log in
Where and is it worth storing authorization data via OAuth2 and where to get it from for the following requests?
There is an API server running BShaffer OAuth 2 Server ( https://github.com/bshaffer/oauth2-server-php).
And there is a web application that uses the OAuth2 client from the PHP League ( https://github.com/thephpleague/oauth2-client).
The user logs in to the web application using the login/password form. I send it to the oauth2 server, I get access_token, refresh_token, expire back.
Let's say I can save access_token in the session. Well, maybe expire yet. But I don’t really want to store refresh_token there, because it’s not too secure.
Can anyone tell me how to check the correctness of access_token, refresh_token and expire on, for example, the next request to the API? And how to update access_token if you don't store refresh_token? Share experience of implementations, please.
Answer the question
In order to leave comments, you need to log in
Store in the database, or ask the user for the password again and again.
Well, the oauth2 server, of course, can get into the database. But the application has no access to the database. The application has access to localstorage, cookies, and maybe session. Well, theoretically, you can put memcache. And then, I would not really want to tie the application to the backend. Those. in fact, we have to store / retrieve information: local storage, cookies and requests to the API, while the access token is valid.
In order not to ask for a password again and again - I store an access_token in the session. However, any user with this session cookie will have access to the access_token. And if you also store refresh_token in the same place, the user gets access to the API that is not limited in time. Which in general is not very good.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question