how to validate an access token?

Question

Am working to use oauth 2.0 to replace existing login/pw system. Works great except for one issue:

1. open tab - browse to login page. if currently logged in to google, get account info.
2. open 2nd tab - log out of google and log into different account (or don't login at all)
3. go back to first tab. refresh. note that return account info is from first account.

I realize this is just tied to the access token. What I'd like to know is

1. how to get always get access token from currently logged in account.
   -- or --
2. how to check authenticity or status (or equiv) of access token

Answer 1

Each tab in your browser is a separate browser session. The browser should not allow tab A cookies or session information to be visible to tab B. If it did, then malicious code in tab A could steal your bank account info, passwords, access tokens, etc simply because you have your bank account open on tab B.

So, the fact that the first tab in your example still shows the account info of the first login even after you have logged in under a different account in a different tab is expected behavior, as designed, if the URLs of the respective tabs are on different domains.

If the tabs are viewing the same URL or same domain, then refreshing the first tab to reflect what you've done in the 2nd tab should be a matter of flushing session state and refetching cookies. This is the responsibility of the web app code, not the browser, IMO.

To check that an oauth2 access token is valid, you have two choices:

1. Treat the access token as an opaque blob, and keep track of the expiration time that was returned when the access token was acquired.
2. Crack open the access token see what's inside. OAuth2 does not define what the access token contains or how it is formatted.

Some OAuth2 token servers simply return a GUID or other opaque identifier that carries no additional info for the client.

However, many OAuth2 token servers are implementing access tokens as JWTs (JSON Web Token). Carrying client-visible data inside the access token provides a means to support claims-based fine grain authorization opportunities for client applications. JWTs are usually signed to ensure authenticity and fidelity. JWTs can be encrypted for privacy, though this is fairly rare.

If the OAuth token server returns access tokens in JWT format, then you can decode the JWT to extract the token expiration time from the 'exp' claim inside.

Some OAuth2 token servers also offer an API to validate an access token as a web request. This is basically required for systems handing out opaque access tokens. Google's OAuth implementation provides an access token validation function: https://developers.google.com/accounts/docs/OAuth2UserAgent#validatetoken