如何在我的应用程序中使用 Discord OAuth2 进行用户管理和身份验证？

Question

I'm building an application where I want to be able to create and authenticate users using Discord and OAuth2. The reasons are:

• The application can be considered a "companion" app to a Discord community I am running, and
• I don't want the users or myself to have to deal with usernames and passwords

The application consists of a client desktop application and backend services. I have a fairly basic understanding on how I authorize the user with Discord:

1. Client application goes to backend endpoint /oauth/login and the user is redirected to the Discord app approval page
2. The user confirms and is redirected to the backend callback /oauth/callback with a code that can be used to fetch a pair of access and refresh tokens.

Frankly, from this point I am kind of stumped on how the rest of the authentication should work. I assume at least the following:

• I need to create a user entry in my database with at least an UID (for simplicity the same as the one for the user in Discord), the access and refresh token pair. If user is already created, update the database with the new tokens.
• Whenever the application needs user information from Discord it should use the access token. If it has expired, exchange the refresh token with Discord to get a new token pair.

But now what? This only authenticates the user against Discord. I want to leverage the fact that the user is authenticated with Discord to be authenticated to my application. Here are some general questions I have:

• Do I make a new token for the user to use for subsequent requests to my backend endpoints? Or do I return the Discord access token to the desktop client?
• What do I do when the token expires? Do I also need a "exchange" endpoint for the desktop client to refresh the token (possibly that just forwards to Discord to get a new token, depending on the answer to my previous question).

This all feels like it should be very basic, but I am out of my comfort zone here and need some help to be unblocked.

Thanks for reading!

Answer 1

Your own application should effectively have its own session system.

The easiest is likely to just use HttpOnly cookie-based sessions, which something like a Redis store (or Memory store if this is a toy project).

The session data on the server should contain information on which user is currently logged in. You should probably store the discord access and refresh token in a database.

The simplest way to deal with refreshing, is to simply call their refresh token endpoint as soon as you get a 401 response. If discord provides information on how long access tokens are valid, you could also preemptively refresh instead of only doing this when you get the 401 . Your server does the refreshing, you don't need an endpoint for this.

Generally I can recommend that your server handles all interactions with the discord API, and never your client. (aside from the initial authorization step).