What is a Facebook/Twitter OAuth token internally?

Question

Ok, I really know what is it. I work with Facebook/Twitter API long ago. And it works, there is no bugs, sorry :). However, the following thing haunts me.

What is a token from OAuth provider side? I see token from client side only. But there is one interesting thing. It's easy to understand.

By default the token I recieve is limited in time. However, when I request an API with offline acces the token I recieve will work eternally with no time limits. Should the token be stored in OAuth provider database in this way? If so, what prevents users to generate milliards of tokens? What if there are a lot of tokens and all of them are stored in database with no time limits? Database then becomes a trash heap. Is this a true way?

I have two assumptions of how tokens are stored:

1. Token is a simple id for the set of the access rights assign to it, each token being stored on OAuth provider side.

2. The token is an independent concept. The access rights is being encrypted and packed into the token and then being decrypted on the provider side. Th token lifetime is also packed into it

The second question. What is the best way to store tokens if I'll want develop my own OAuth provider?

Answer 1

The OAuth token is just an ID and doesn't contain any information. In fact, it would not be good if the token contained real information because that would make it easier to hack. The provider associates that token with your application account and stores any information they need in their own database. I don't know about Facebook, but Twitter OAuth tokens don't expire unless the owner regenerates them.

When you're doing OAuth, you'll know who the user is that is working with your program and have your own database table for holding user data. On the user's first OAuth authentication, grab their credentials and save them in your database. Then, on every subsequent query you make to the service (i.e. Twitter) reload those credentials so that the user doesn't have to authenticate all over again. If a query with current credentials fails, you might want to re-authenticate and save the new credentials - in case the old credentials expired for some reason. This way, you only have OAuth tokens for each user in your system and you manage the lifetime of that user.