I’m currently working with the DevDefined OAuth. As far as I have been able to tel, the access tokens are never removed from the out of the box in-memory store so the only time they would be cleaned up is if they time out and get removed or if the application restarts. I’m curious how other people are working with this? I seems like a lot of applications just allow the authentication toke to live on until the user says to remove it (assuming via log out), are people setting up some of there kind of time out for it? Or perhaps a renewal? It seems like retaining them indefinitely might make sense for a social app or something be I’m building line of business and it just doesn’t seem right.
Any thoughts or experience anybody can sure would be very helpful?
Thanks
In general, you should hold on to the access token until it gets revoked by the service (either the user revoked it, or it expired). In which case, you can use your request token to get another access token. Some services have an API you can use to check the validity of your access token as well.
OAuth doesn’t really give you a provision to address your concern – for example, if your application has been authorized by the user, you can always get an access token from the request token.
If you are concerned for line of business applications, then maybe it is something you can handle in the application layer. For example, many apps I use require me to log in, but once I log in, it connects to the various OAuth services (ie, it re-uses the access token) without asking me for further permission.