ealeksandrov/NodeAPI

How to work around with , user logout functionality ? Can I revoke OAuth Token ?

Closed this issue · 3 comments

saikirankalyanapu commented

Hello ealeksandrov,

Firstly, I thank you for excellent blog on implementing OAuth server in combo with passport-local, If I go with this strategy :
1)How can I work around for logout functionality, traditionally logout means either of user sessions or cookie object would be deleted/destroyed , which can be built again easily. But here as I authentication API endpoints using access token generated , can I consider OAuth access token revoke to achieve logout functionality , whether my analogy was correct?? Please suggest a better process if i'm wrong ??

  1. Can I implement social logins like FB,Google & linkedin , if i use NodeAPI. I'm thinking to use passport-facebook and to store that access token in access-token document to authenticate the users and end point , whether this idea was correct , If not please suggest a better one ?

Regards,
Sai.

ealeksandrov commented
  1. Just remove AccessToken for user from database on logout.
  2. Yes you're right, but I can't say much about this, look for passport.js guides and examples. Since passport.js already used in this project, it should be pretty straightforward to add more passport modules.
saikirankalyanapu commented

Hi ealeksandrov,
Thank you for quick reply, If remove access tokens from user's record on logout event , to re create access token to logged out users , I'm thinking as follow :

  1. Though we make access token nullify , we persist logged out users refresh token .
    2)So , when logged out tries to login again , as there was no access token I wll check for user's
    refresh token using "user/email" , this check was to validate user was already registered or new user.
    3)If validation was successful, I will make POST to generate new access token using refresh token.

I'm thinking of this flow , but how far this flow optimized, please suggest if there was better flow if i'm missing something.

But how many days does refresh token was valid ?? On googleing I found that it was 14 days . But what if a user logs out and tries to login again after 20 days when there was no valid refresh token to generate access token again , how to deal with this scenario please suggest if you any idea ???

Regards,
Sai.

ealeksandrov commented

What's problem with removing both tokens on logout? Seems like straightforward idea.

Refresh token time - choose based on business requirements.

For your last question - just show 401 when refresh token is expired and handle logout on mobile client when this error is encountered. Here is example that is similar to my implementation - artsy/eidolon:

  1. If everything valid just do a request
  2. If token is expired, do a refresh
  3. If error 401 received - drop user out of application to login screen.