It is not possible to find any recommendations on the best way to implement OAuth 2 update token preservation and any common opinion on what actually needs to be stored and how.
Despite the fact that Taiseer Joudeh has at its disposal a very good toto about authorizing OAuth in ASP.NET web API. This is the RefreshTokens table from the article:
where: Id is the hash of the unique identifier of the token, Subject is the username, ClientId is the identifier of the application, ProtectedTicket strong> is the serialized access token.
I would like to prove or undermine some of the decisions made there with the help of the SO community. So here are my problems:
Why do we need to stay in access_token shortcut mode ? So far I can think of two reasons for this approach. First , it could potentially be a security risk when you keep ticks in the user's access anywhere, just waiting for someone to grab them, and reuse unwanted resources for the server (remember that they must use the same algorithm for serialization deserialization). Second , you will have to take care of updating these saved tickets as soon as you decide to change any part of the serialization algorithm. So, why don't we just create new tickets at runtime as soon as we checked client_idand refresh_tokeninstead of reading and deserializing from the database?
access_token , ? + SHA2 ?
hash refresh_token id? ? , refresh_token, ? , refresh_token ( ) .