PHP oauth2 how to use refresh_token

Question

I´ma bit puzzled how to use auth_ and refresh_token correctly in php.

I have registered a new client app with the oauth-provider. After that my app sends the client-id and secret to the oauth2-authorization-endpoint which returns following:

Array
(
    [result] => Array
        (
            [access_token] => qjdcshsmgwcuvi7hzpgxwqapfb8aoab60fmprk1g
            [expires_in] => 86400
            [token_type] => Bearer
            [scope] => basic
            [refresh_token] => whnutk9npmaikcn1bxbovleuqn9ggn9j00jgyiph
        )

    [code] => 200
    [content_type] => application/json
) 

Great, I can now query the API by use of access_token. BUT the access_token will expire in 24h and the whole dance will start again.

Questions:

• where do I store the access_token that the whole process does not run on every request? A session will not be persistent, in a conf file, memcache a DB?)
• How to deal with the refresh token should I save a timestamp in the session and check if a new access_token has to be requested?

Answer 1

If you only use those tokens when your user is online (as in signed in to your application), then I would store it in a session variable. If you'll also use the tokens when the user is not online, it would be recommended to store them in a database. In the first case, you'll receive a refresh token every time the user signs in. In the second case, you'll receive a refresh token only once (ie when the user links their 3rd party account to your application).

To answer your second question, it would be advisable to store the expiry timestamp with the access_token.