OAuth2 Token Handling - How to Relate Session Tokens to a User

Hi all,

New here but thanks to other posts I was able to get a OAuth2 Server Action working. I am using Session based Token Handling at the moment which is working great refreshing tokens automatically.

One thing I had no idea about is how to relate the ‘Session’ to a user. I couldn’t find any info on that so is anyone able to provide some detail? Basically I want to ensure that the session access token relates only the user who authorized it.

On similar note, depending on the response to the above, I wanted to ensure the access token is available if the user signed in anywhere (eg. another browser, computer, etc)? Is this possible or do I need to Self Maintain the access tokens to do that.

Thanks!

Sessions are maintained by your web server, it sends a cookie with a session id to the user’s webbrowser to recognise the user. The sessions will timeout after a specified timeout, this often can be configured in your web server configuration. When the user use a different browser or computer, they will get a new session id, so they have to authenticate again since they can’t access their old session.

You can store the access token and refresh token in the database with the user, after the user logged in you use the stored access token and you need the refresh token to generate a new access token for when the old access token is expired.

OK perfect thanks for confirming and I will just Self Maintain using Database like you describe.