Suppose my site is example.com
When a user at a client.com wants to login via example.com (with oauth2)
He comes to
oauth.example.com/authorizeandoauth.example.comknows he's not signed in toweb.example.com.oauth.example.comredirects him toweb.example.comhe logs into
web.example.comthen gets redirect back tooauth.example.comoauth.example.comsomehow knows that he is logged intoweb.example.comoauth.example.comdoes its oauth2 magic and sends him back toclient.com
My question is, how should oauth.example.com should detect if a user is logged in or not with web.example.com .
I'm considering to let web.example.com to store session data in DB, and have oauth.example.com to look up the db.
My concern is that when session expires (without user explicitly logging out), it might be possible for the two servers get out of time-sync.
A user (A) might refresh web.example.com and find out his session is expired and leave the computer open.
Another user (B) might click login with example.com and oauth.example.com might consider (A) user is still logged in (because time is not well synchronized).
Would synchronizing clock with nptd be best I could do?
Or should I scrap this idea and come up with something else?
- implementation detail: I'm considering spring-session-jdbc, and it unfortunately doesn't remove session data on every expiration.
