How often should I be checking access tokens if I am using OAuth only for signing in to my app?

Question

Disclaimer: I am asking this question with regard to a school project. The purpose of the project is hands-on learning and simulation of a real-world software development project. I am fully aware that I don't properly understand what I am doing; and I am not putting anyone at risk in the case of designing a very flawed system.

I am trying to use OAuth to allow users to login to a web app using their Google accounts. Basically, everyone with an @company.name.here Google account should be allowed in and given the same permissions. All I need to do with their Google accounts is to use them as proof that they are indeed working at Company Name Here.

The app will mostly need this authentication, in order to do a bunch of CRUD operations.

Now, here's what I want to know: How often should I be checking my access token(s)? Every time the user makes a CRUD operation? Should I also check them every few minutes? Something completely different?

Or am I thinking about this all wrong and I need to get a better grasp of OAuth?

Answer 1

OAuth stands for Open Authorization. You are using it for authentication.

The following article discusses the differences between authorization and authentication:

OAuth 2.0 is not an authentication protocol.

---

Fundamentally, in using OAuth for authentication, your web app is being given authorization to access the user's identity.

From this Server Side Flow (also this):

First, you have to have previously registered your web app with Google.

When the user goes to your web site, if they are unknown to you (not logged in to your web server), your web server can ask Google's OAuth service for their identity. If it is the first time the user is doing this, Google will interact with the user to authorize your web app. Assuming the user agrees, Google gives you an OAuth token that you use to see their identity.

Once you've done that you log them into your web server; this is done by giving the user a browser cookie that identifies them to you. Your web server holds onto that cookie for the duration of the session with the user. That cookie represents them being logged in with your web app, and as a cookie, will be returned to you by the browser on each subsequent interaction they do with your web server (such as CRUD requests).

Each web page or interaction of your web server with the user should involve your web server checking the cookie to make sure they are authenticated (i.e. logged in to your web server). (If the web server does not get a cookie from the browser, or does not recognize the cookie, then it should redirect the user to its logon page.)

If the user wants to log out of your application, you remove the cookie from your web servers memory -- you disassociate that cookie with their identity. (You should also remove the cookie from the user's browser.)

So, in this scenario, you only use the OAuth token once to obtain their identity (e.g. email address) and then use that to log them into your server. Thereafter you're using your own log-on mechanism. You can age the log-ins, for example, log them out after an hour of inactivity.

---

You don't really know the user works at that company, but I believe you have certainty that the user has(had) access to/control of to the email address google gives you for them (at least at the time they signed up with Google Plus).

---

Ideally, you would ask the user for a choice in OAuth services, such as Google Plus, Windows Live, Facebook, Twitter, ... All the services work pretty much the same, just with different end points for the OAuth server. Google provides a library to invoke the OAuth end point requests, but you don't need a library to do it as it is pretty easy to do directly.

---

Also, as you give the user a log in cookie, you should be using https, as well as following the other security information in the server side flow link.