Dunkstormen Posted March 31, 2020 Share Posted March 31, 2020 So I've thought of using IPSs oauth system to authenticate users in an external web app. However in my last attempt to do it I ended up with the web app generating a new access token everytime a user signed in. Is that the behaviour I should expect or is there any way to get around it as it would be annoying to look at 100+ authentications tokens per user of the app. If it helps in getting a more precise answer, then I'm planning on using Laravel with its socialite package. Link to comment Share on other sites More sharing options...
bfarber Posted April 1, 2020 Share Posted April 1, 2020 An access token should be generated for every single user that logs in - that's normal. Link to comment Share on other sites More sharing options...
Dunkstormen Posted April 1, 2020 Author Share Posted April 1, 2020 (edited) 1 hour ago, bfarber said: An access token should be generated for every single user that logs in - that's normal. I'm aware of that. However whenever they sign out and sign in again it creates a new token for them so they end up having two and so it continues. Is there any way I can prevent that if I already got a token stored? As it fills up the logs on a users profile for every time they sign in to the external application. Is it possible to determine which user that is attempting to sign in before a new access token is exchanged? Edited April 1, 2020 by Dunkstormen Link to comment Share on other sites More sharing options...
bfarber Posted April 2, 2020 Share Posted April 2, 2020 Typically if they indeed logged out, their access token would be invalidated, so that sounds normal too on the surface. But to answer your question, no, I don't know how you would know which user is trying to login before they in fact try to login. You could potentially set a cookie that is not cleared upon logout to track this information if you needed to, but that might represent a minor security concern (i.e. a user logs out, but PII remains in place). Link to comment Share on other sites More sharing options...
Dunkstormen Posted April 2, 2020 Author Share Posted April 2, 2020 1 hour ago, bfarber said: Typically if they indeed logged out, their access token would be invalidated, so that sounds normal too on the surface. But to answer your question, no, I don't know how you would know which user is trying to login before they in fact try to login. You could potentially set a cookie that is not cleared upon logout to track this information if you needed to, but that might represent a minor security concern (i.e. a user logs out, but PII remains in place). Makes sense. The only real issue that triggers my OCD is the logs on a users profile get filled for every time the get a new token which introduces a lot of clutter that could make it harder to see other stuff like group changes etc. I guess a solution would be to have some other auth solution up front and then only require the users to authenticate with the oAuth client once. And then use the refresh_token to keep the auth_token up to date. Unless there is some sort of workaround within the forum software itself to declutter it. Link to comment Share on other sites More sharing options...
bfarber Posted April 3, 2020 Share Posted April 3, 2020 I'd recommend just ignoring the member history. The same thing happens with our client area, it's not an issue. Link to comment Share on other sites More sharing options...
Recommended Posts