0

I am writing an application and am using OAuth for authentication and for getting a user's email. I am successfully authenticating, but am unsure how to manage session. I want to protect my resources but I don't think I want to re-authenticate every time a user goes to a new page.

Current Flow

  • User clicks 'log in with Google'
  • User gets redirected to Google to approve of request
  • Server gets a token on user's approval
  • Server uses token to get email

What now?

I am using OAuth2 for the services that support it (Facebook, Google) and OAuth1a for those that don't.

I had trouble finding flow for returning users and maintaining authentication during a user's time on the site. Are there any good resources on best practice for maintaining session or returning users?

Charlie Andrews
  • 1,457
  • 19
  • 28
  • 1
    this maybe of help: http://stackoverflow.com/questions/13851157/oauth2-and-google-api-access-token-expiration-time – ikumen Jun 21 '13 at 05:16

1 Answers1

0

When a user logs in through google, your app will get a (refresh + access) token pair. You can use the access token to fetch the user's resources and can use the refresh token to get more access token as and when required. Your app can get more access tokens by exchanging your refresh tokens as when you need it. So, Refresh Token is the answer whenever the provider makes it available.

More details on how this can be done on facebook can be seen here - Refresh token and Access token in facebook API

Also, The link mentioned in the comments to the question contains a good answer that you should see. Feel free to post any more queries.

Community
  • 1
  • 1
divyanshm
  • 6,600
  • 7
  • 43
  • 72