1

When using Authorization codes (in the Explicit oAuth2 flow), the user agent never seems to see anything other than the auth code, which does not even identify the user. The code is then sent client, who will now know the user's identity and can access the protected resource. But the user agent still seems to be kept in the dark about who is logged in.

So how does a user agent know who is logged in?

keithlee96
  • 113
  • 3
  • Please note that Auth2, is NOT intended for *authentication* (logging in), but is instead intended for (the delegation of) *authorization*. – Jacco Feb 13 '18 at 07:43
  • See also: https://security.stackexchange.com/questions/133065/why-is-it-a-bad-idea-to-use-plain-oauth2-for-authentication/133073#133073 – Jacco Feb 13 '18 at 07:43

1 Answers1

1

What you're refering to is session management, which is not part of the OAuth 2 specification.

In practice, for session management many solutions make use of the HTTP session. After successful authentication the server stores whatever user related information in the HTTP session on the server side. If you close your user agent/browser, it will kill the HTTP session, in which case you'd have to login again. Except for the HTTP session, the user agent doesn't actually need to know any of the tokens involved.

If you want a user's session to persist even after closing a browser, one way would be to use cookies.

HTLee
  • 1,772
  • 15
  • 30