Reputation: 41
REST Service with third party OAuth2
I'm building a REST server and a client for it. Now I need to embed some third party oauth2 authentication. Right now I'm directing the user to the server, let him authenticate to the service and then I redirect to the client, somewhat like this:
Client: Not Authenticated -> Server -> Redirect to Third Party -> Redirect to Server -> Redirect to App.
Then I store a cookie on the client to identify the user (the cookie is sent using withCredentials and CORS).
My problem now is what should I do with re-authentication when the token expires? Since the client and server only communicate through json, I would have to initiate the full authentication process again and therefore the user would lose all state in the app. Does anyone have a suggestion on how to get around this problem? Is it better to do authentication on the client side and store the access token on the server or something?
Upvotes: 4
Views: 361
Answers (1)
Reputation: 10667
Whatever you have done is the proper way to get OAuth access_token. And your access_token is temporary so can expire.
I think you can do either of these :
Check if Authorization Server ( which you use for getting token) provides option to get a longer duration token using your access_token. This is suggested in OAuth 2 specification as well.
Try to store User's state without using session.
Upvotes: 1
Related Questions
- Using OAuth to control access for untrusted 3rd party services to our API
- Best practice for securing rest api for third party service access
- Connect to 3rd party rest api with oAuth2 security server when using own oauth2 implementing
- using oauth for API without 3rd party
- OAuth 2.0 with a single server
- OAuth2 service to service authorization
- Two-legged OAuth - looking for information
- Using 3rd party oauth2 service in iPhone app with Java REST backend
- Rest Authorization with OAuth?
- How to authorize mobile apps with a third party by oauth BUT connect to my service, not the 3rd party