I am trying to understand OAuth 2.0(SERVER SIDE FLOW). Lets take simple example of Google contacts API.

As per specifications, I have registered my app with Google and have got Client ID and Client secret.Also i have mentioned callback URL.

Getting access token requires me to do

1. Redirect user to a certain URL with required query strings and headers as mentioned in OAuth document on Google site (https://accounts.google.com/o/oauth2/auth bla bla stuff)

2. After user enter their credentials, they are sent back to callback URL as mentioned in my APP which i have already registered with google. here querystring parameter &code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp6 bla bla is also appended to call back URL. Thus now have got authorization code

3. Now, i send a request to https://accounts.google.com/o/oauth2/token with authorization code i got in previous step so that i get access token and refresh token.

Once i have got this “access token” , i can access (say contact API and get user contacts)

Everything is fine upto this point. I also understand that access tokens have limited lifetime and we can get new access token using “refresh token”.

A.As a developer, is it my responsibility to store and check if the “access token” is valid?

B. If my website is a public website with “Login with Google/FB/twitter” account, how do i know that its the same user who has returned back to site after 2 days and i dont need him to ask for login, instead user should be auto-logged in to site ? cauz i dont want him to go through the authorization process as they have already given permission to my app.

E.G : I have logged into TechCrunch website using my FB login and can comment on articles. Now even after 1 week if i visit to TechCrunch , i dont have to login again. how do they know that its me and i am already authenticated ?