DEV Community

loading...

Discussion on: OAuth Tips for the Uninitiated

Collapse
anabella profile image
anabella

Thank you! This cleared a couple of things for me. If you don't mind, I have a couple more questions:

  1. We handle authorization only when serving our own resources, right? Aren't the OAuth provider's resources (the ones that we got access to, life Google profile information) still handled by them, authorization-wise?

  2. I'm interested in what you mentioned about tracking the tokens (or not). What does that mean exactly, how are they "tracked".

  3. Does the refresh token's life span "restart" every time it is used or is their expiration unavoidable? What happens when they expire, do I need to log in again?

Ah, yeah. I almost never mean "just 2" when I say "a couple of X" 😅

Collapse
antonfrattaroli profile image
Anton Frattaroli Author • Edited
  1. Yeah, sorry that's very misleading and I'll fix it. [Update: fixed]

  2. Refresh tokens stored in a database. Tracked as in their existence is persisted in a database, but I assume someone is already using that in a creepy facebook-tracking you sort of way.

  3. Can be a sliding expiration. Can be set to never expire too. Some companies want re-authentication like they want you to reset your password.

Collapse
anabella profile image
anabella

Beautiful <3 Thank you again!