1

I am building google oauth2 for my application. For now I am starting with web client and planing for mobile client in future.

While storing refresh and access token in backend I am storing tokens as refresh_token_web and access_token_web so that it will be clear that these tokens are for web client. Basically tokens are stored independently for each type of client.

As I understand tokens are given for application and not for specific client. If user does oauth2 using mobile client will refresh_token_web still work or it will be out of scope?

Am I doing right thing by storing tokens independently? Anyone has faced any issue with this approach?

Abhilasha
  • 1,177
  • 4
  • 10
  • 17

1 Answers1

0

As I understand tokens are given for application and not for specific client

First you need to differentiate roles involved in an OAuth scenario. According to the specification, client is an application which require tokens to access protected resources.

And then there's an resource owner who own the true resource. In most of the scenarios this will be a human user like you and me. But sometimes there are OAuth grants which allow token issuing for a client. For example Client Credentials Grant issue token to client.

So to answer your question, first you need to differentiate the grant that you are using. If your application simply use tokens issued to it, then you can simply use set of tokens of that application in the backend. But if it involved end users, then you need to differentiate token per user.

Usually, your users should have a unique identifier (ex:- email is one such). So you may create two entries to store refresh tokens of both applications (web and mobile) separately against the unique foreign key (which is the user ID). Also read through a related answer which discuss a similar subject from here.

Community
  • 1
  • 1
Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46