5

When you use a third party for authentication (E.g. Google/Facebook javascript SDK), their SDK keeps track of the login status.

If I have my own server, which requires an access token of it's own (which is issued after validating the third party authentication), how important is it to keep the access to my resource server in sync with the login status of the third party?

For example. If the third party login status changes to logged out, should I watch for this and automatically expire my own server access token. Or should I treat them quite separately?

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Cameron
  • 151
  • 2
  • Your question is very fuzzy. but do you mean to ask how to prevent access-token reuse attacks? – LvB Feb 01 '16 at 11:51
  • No it's more about using a third party login on your own site. Like using stackexchange, I sign in with google, but then have a session to access resources on stackexchange. Would I need to keep the session in sync with the status of my google login? If that makes sense? – Cameron Feb 01 '16 at 12:19
  • 2
    In my opinion, once the user has authenticated its up to you to timeout the session in your service, if the provider has a session timeout of 15 mins, and you set a timeout of 10 minutes, then after 10 mins of inactivity the user will have to re-authenticate and that refreshes their 15 minutes on the 3d party provider – Purefan Feb 01 '16 at 12:24

1 Answers1

1

If you're using oAuth with Facebook or Google you will be issued an "access token" for the user to access your application. This access token will have an expiry.

Once it is expired, you should use a "refresh token" to ask for another "access token" for the user. If this is not granted, this is when you should logout the user.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178