Menu
I'm using the node version of the google api client. i.e.: google-api-nodejs-client.
As part of this I'm setting up oauth-flow (the 'google webserver' flow to be exact.)
As part of authentication this consists of doing calls like:
var oauth2Client = new OAuth2Client(CLIENT_ID, CLIENT_SECRET, REDIRECT_URL);
and
oauth2Client.setCredentials(userSpecificTokens)
Obviously, the first call is app-specific, whereas the second call is user-specific.
What is considered good practice in this case? either:
oauth2Client and cache/save tokens per user and inject them using oauth2Client.setCredentials(userSpecificTokens) on each and every request. This essentially creates a new oauth2Client per request.oauthClient per user including oauth2Client.setCredentials(userSpecificTokens) already applied which is created when needed and cached afterwards.
781
It's relatively expensive to get an OAuth access token, because it requires an HTTP request to the token endpoint. Therefore, it's good to cache tokens whenever possible. The Microsoft Authentication Library for . NET (MSAL.NET) (MSAL) caches tokens obtained from Azure AD, including refresh tokens.
The primary reason for using the state parameter is to mitigate CSRF attacks by using a unique and non-guessable value associated with each authentication request about to be initiated. That value allows you to prevent the attack by confirming that the value coming from the response matches the one you sent.
redirect_uri (optional) The redirect_uri is optional in the spec, but some services require it. This is the URL to which you want the user to be redirected after the authorization is complete.
I believe your first approach is the correct one
have 1 oauth2Client and cache/save tokens per user and inject them using oauth2Client.setCredentials(userSpecificTokens) on each and every request.
However, this line isn't correct
This essentially creates a new oauth2Client per request.
The oauth2client is created only once, when you've newed it - new OAuth2Client(CLIENT_ID, CLIENT_SECRET, REDIRECT_URL);
setCredentials() just swaps the credentials that are stored in that OAuth2Client object. Basically, what this means is that if you went for your 2nd approach, you'd have many additional instantiated OAuth2Client's unnecessarily. The only time you would ever need to instantiate a "new" Oauth2Client is when you want to connect with a different token/key.
It's somewhat common to store the tokens on a database or session and have them reused exactly as you've described by setting the credentials on the single instance of your client. (https://security.stackexchange.com/questions/72475/should-we-store-accesstoken-in-our-database-for-oauth2)
For reference, the docs give some insight and basically describe your first approach - https://github.com/google/google-api-nodejs-client/#request-level-options
You can specify an auth object to be used per request. Each request also inherits the options specified at the service level and global level.
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
