Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Multiple OAuth2 access tokens for single application?

Maybe someone could clarify me, as I am not finding that clearly written in documentation...

I do have a single application, which is running on multiple machines. With OAuth2 I do have to obtain an Access Token in order to work with Google API. Do I need to use single Access Token across all my hosts and take care that it would be synchronized across them (which increases the complexity level, as once token expires - it must be refreshed and again distributed across all hosts), or it is possible that each host could get its own token and cache it locally?

I am not really sure either 2nd option is safe (though it would be easier to implement), as documentation writes that token can become invalid once it is refreshed. Could it happen, that while one host is creating its "own" token all other tokens (from other hosts) become automatically invalid?

like image 757
Laimoncijus Avatar asked Apr 18 '13 07:04

Laimoncijus


People also ask

Can you have multiple access tokens?

Access tokens are generated for an application, not a user, but yes, there can be multiple access tokens authorized by a single user - the user authorizes the application to perform some operations (scopes) on his behalf.

Can a user have multiple refresh tokens?

With OAuth2 a clientID will only have 1 active set of tokens (access+refresh).

How many times an access token can be used?

It depends... by default, each time you refresh token, it returns new access token and new refresh token. If you're talking about old refresh token, it only available one time. But from client side, there is no limitation, you can always refresh as soon as the refresh token is not expired.

Is access token one time use?

Once the token is used on a target device, it cannot be used again. You can generate as many client devices as you need to access the records associated to the application.


1 Answers

I assume your application is a web application deployed in a cluster, is that correct?

Is there session state distributed over the cluster? If so, add the access token to the session.

In theory you can have multiple access tokens, but don't rely on that. There are rate limits that you can run into, but if only occasionally a machine is getting multiple access tokens it is not an issue.

like image 170
mariuss Avatar answered Nov 02 '22 13:11

mariuss