重用OAuth访问令牌

Question

On my site, I intend to offer users the ability to authenticate via OAuth. I don't want to ask them to first register with me and then connect an external account; I want to offer single sign on.

I believe we're supposed to reuse Access Tokens; certainly within sessions and even between them.

Google goes so far as to say they'll limit the number of access tokens to 10 per user per application . (Apparently Google still supports OAuth1, but recommends Auth2 now) 10 is a pretty small number.

Using cookies ( like this ) seems like a good plan for identifying a user between sessions, but I'm having trouble with the scenario where a user has deleted cookies or connects from a new machine.

How do I know who the user is before I've requested another Access Token for them? Request tokens do not contain the userid, right?

Thanks

Answer 1

You will have to maintain your own user accounts anyway, no matter which protocol and which provider you choose. A token (or a URL in the case of OpenID) that you get from a provider is unique for a given user and you are supposed to associate it with your internal user account and recognize user by it.

If you don't want to provide any registration UI it's okay: just get the token, retrieve all the user info you need from the provider and store all this somewhere in your database. You will also have to issue and recognize your own cookie for your users, or else they'll be forced to go through provider auth every time they visit your site.