How can a WEB application that uses OAuth for authentication manage the user session?

Navigation
6

Usually sessions are used to maintain data of a certain user after he has logged into the WEB application, and it is the WEB application that is responsible for the control and management of this data stored in the session. It can use this to identify the user who is logged into the system and other purposes.

But when I read about the protocol OAuth , I did not quite understand how a web application (client-oauth) that allows a user to sign in using their Google account, can manage the session and keep it active and identify the logged in user or know when the user is logged in

In theory, would not it be Google (serve-oauth) itself that should manage the session instead of the WEB application that used OAuth to authenticate the user?

Summarizing

  • As a WEB application that uses OAuth for authentication, it manages the session and identify the user that is logged in, or know if it is logged in?
  • What types of data a Web application that uses OAuth for authentication receives as response from the OAuth server when the user is authenticated?
    • asked by anonymous 12.06.2017 / 20:22

    1 answer

    3

    There are several ways. Before, let's go to the questions:

      

    In theory, would not it be Google (serve-oauth) itself that should manage the session instead of the WEB application that used OAuth to authenticate the user?

    No. Google is responsible for authenticating the user and checking the validity of user information requests made by web applications.

      

    As a web application that uses OAuth for authentication, can you manage the session and identify the user that is logged in, or know if it is logged in?

    She herself would manage the sessions; the OAuth provider only validates access to the information of its registered users.

      

    What data types does a WEB application that uses OAuth for authentication receive as a response from the OAuth server when the user is authenticated?

    There are several formats, but in general the flow is designed to segregate layers - via the web the user validates, and the application receives a token that must be re-validated directly by the server - and only then the backend of the application will get the data of the user that is logging in.

    I think the stream can be best viewed if the steps are listed in sequence:

    • Your web application is registered with the OAuth provider. This will generate a secret key, which you will use in the future:
    • User connects to your web application. Without active session, you offer a page containing a list of OAuth providers that the user can use. The user selects, for example, Google.
    • The browser is redirected to the Google OAuth2 provider, along with a valid return URL (previously registered - in the above image, http://localhost was used).
    • User authenticates.
    • Google redirects back, along with a request token.
    • Your server receives a request from the browser that contains the request token - something like http://localhost/?token=1234567 .
    • The server establishes a direct connection to the back-end of Google, passing both the token and its secret key (for example, https://oauth.google.com/validate/?token=1234567&secret-key=abcdefgh .)
    • The Oauth provider validates whether token, secret key, and source URL are valid. If so, a payload is returned containing user data (JSON: {'email': '[email protected]'} , for example.)
    • Your application creates its own session, based on the information returned by Google's Oauth2 backend.

    Two important points:

    • Your web application never receives credentials (email + password) directly - these are validated on Google's servers.
    • Your end-end never receives the secret key, as this should only be used by the backend.
    12.06.2017 / 21:14
    Link address link with GPS applications PUT and DELETE Methods with HttpStream?