0

I have a server-side app that does some work with an API secured with OAuth 2.0. When I launch the app, I go through the OAuth authentication flow and get the access and refresh tokens.

Now, the problem is: my app works across multiple servers doing its thing.

Can I share the access token across all three servers or do I have to go and get a new one for each (which requires user interaction -- what a hassle!) ?? I noticed that Google's APIs call the access tokens "Bearer" tokens, which I'm assuming means they can be used by whomever has them in hand, but:

  1. Is that common with other OAuth 2.0 APIs? Are there better recommended practices?
  2. Is that really the intended meaning?

Suggestions appreciated.

MarcWan
  • 2,943
  • 3
  • 28
  • 41

1 Answers1

0

According to this site,

Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources

This means that yes, you can share it across all three servers. The document I referenced isn't particular to an API, so it shouldn't matter whether it is Google or some other site.

Rob Watts
  • 6,866
  • 3
  • 39
  • 58