Dunkstormen Posted March 31, 2020 Posted March 31, 2020 So I've thought of using IPSs oauth system to authenticate users in an external web app. However in my last attempt to do it I ended up with the web app generating a new access token everytime a user signed in. Is that the behaviour I should expect or is there any way to get around it as it would be annoying to look at 100+ authentications tokens per user of the app. If it helps in getting a more precise answer, then I'm planning on using Laravel with its socialite package.
bfarber Posted April 1, 2020 Posted April 1, 2020 An access token should be generated for every single user that logs in - that's normal.
Dunkstormen Posted April 1, 2020 Author Posted April 1, 2020 (edited) 1 hour ago, bfarber said: An access token should be generated for every single user that logs in - that's normal. I'm aware of that. However whenever they sign out and sign in again it creates a new token for them so they end up having two and so it continues. Is there any way I can prevent that if I already got a token stored? As it fills up the logs on a users profile for every time they sign in to the external application. Is it possible to determine which user that is attempting to sign in before a new access token is exchanged? Edited April 1, 2020 by Dunkstormen
bfarber Posted April 2, 2020 Posted April 2, 2020 Typically if they indeed logged out, their access token would be invalidated, so that sounds normal too on the surface. But to answer your question, no, I don't know how you would know which user is trying to login before they in fact try to login. You could potentially set a cookie that is not cleared upon logout to track this information if you needed to, but that might represent a minor security concern (i.e. a user logs out, but PII remains in place).
Dunkstormen Posted April 2, 2020 Author Posted April 2, 2020 1 hour ago, bfarber said: Typically if they indeed logged out, their access token would be invalidated, so that sounds normal too on the surface. But to answer your question, no, I don't know how you would know which user is trying to login before they in fact try to login. You could potentially set a cookie that is not cleared upon logout to track this information if you needed to, but that might represent a minor security concern (i.e. a user logs out, but PII remains in place). Makes sense. The only real issue that triggers my OCD is the logs on a users profile get filled for every time the get a new token which introduces a lot of clutter that could make it harder to see other stuff like group changes etc. I guess a solution would be to have some other auth solution up front and then only require the users to authenticate with the oAuth client once. And then use the refresh_token to keep the auth_token up to date. Unless there is some sort of workaround within the forum software itself to declutter it.
bfarber Posted April 3, 2020 Posted April 3, 2020 I'd recommend just ignoring the member history. The same thing happens with our client area, it's not an issue.
Recommended Posts