I am trying to understand OAuth 2.0(SERVER SIDE FLOW). Lets take simple example of Google contacts API.
As per specifications, I have registered my app with Google and have got Client ID and Client secret.Also i have mentioned callback URL.
Getting access token requires me to do
Redirect user to a certain URL with required query strings and headers as mentioned in OAuth document on Google site (https://accounts.google.com/o/oauth2/auth bla bla stuff)
After user enter their credentials, they are sent back to callback URL as mentioned in my APP which i have already registered with google. here querystring parameter &code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp6 bla bla is also appended to call back URL. Thus now have got authorization code
Now, i send a request to https://accounts.google.com/o/oauth2/token with authorization code i got in previous step so that i get access token and refresh token.
Once i have got this "access token" , i can access (say contact API and get user contacts)
Everything is fine upto this point. I also understand that access tokens have limited lifetime and we can get new access token using "refresh token".
A.As a developer, is it my responsibility to store and check if the "access token" is valid?
B. If my website is a public website with "Login with Google/FB/twitter" account, how do i know that its the same user who has returned back to site after 2 days and i dont need him to ask for login, instead user should be auto-logged in to site ? cauz i dont want him to go through the authorization process as they have already given permission to my app.
E.G : I have logged into TechCrunch website using my FB login and can comment on articles. Now even after 1 week if i visit to TechCrunch , i dont have to login again. how do they know that its me and i am already authenticated ?
Access token lifetime By default, an access token for a custom API is valid for 86400 seconds (24 hours).
When the access token expires, the application will be forced to make the user sign in again, so that you as the service know the user is continually involved in re-authorizing the application.
Refresh tokens can expire, although their expiration time is usually much longer than access tokens. Refresh tokens can become invalid in other ways (for example if your user revokes your OAuth client app's access — in this case all your refresh tokens and access tokens for that provider would be invalidated).
Access tokens can expire for many reasons, such as the user revoking an app, or if the authorization server expires all tokens when a user changes their password. If you make an API request and the token has expired already, you'll get back a response indicating as such.
When using OAuth 2.0, you get an access token which has an expire time sent along with it. Either you can keep track of when it expires or you can just keep using it until you get an INVALID_TOKEN error. Then you would need to call the refresh token service to get a new access token. Your refresh token is good until revoked.
This is OpenID, not OAuth. The flow is similar, but is for logging a user into your service. OAuth is for you retrieving the user's data from another account.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With