Mobile app version of vmapp.org
Login or Join
Connie744

: Automatic reauthenticate at oauth2 endpoint I am currently (ab)using an oauth2 endpoint of an API to enable users of the API to login to my site (using response_type=code). I do not save refresh

@Connie744

Posted in: #Untagged

I am currently (ab)using an oauth2 endpoint of an API to enable users of the API to login to my site (using response_type=code).
I do not save refresh tokens or even access_token as that oauth2 endpoint doesn't support scopes and i want to minimize the dangers of stolen accounts.

The oauth2 endpoint does a successful redirect to my auth page (php) if the user already granted my client_id permissions and is already logged in via that service. This will happen without user interaction.
My auth page will set some session variables and redirect to the appropriate page.

As the session to my server could expire when the user just created a lot of
data and want to save it (via ajax) i want to automatically re authenticate the user via the oauth2 provider (in case the session there is still alive) without sending him on a series of redirects.
Thus the idea is:

If an once logged in user needs to be re-authenticated i create an image with an onload/onerror listener pointing to my auth endpoint.
My auth endpoint will then redirect to the oauth2 endpoint, which in turn redirects back to my auth site if the user already granted the permissions.
My auth endpoint updates the session and returns a single pixel image if the authentication was successful. Otherwise not.
If the image.onload event fires on the client side and the image width * height == 1 the user is re authenticated.
If the onerror event fires or width*height are != 0 user interaction is required.

Are there any potential problems i may have missed and/or does this pattern exists and are there paper about it ?

As far as i see this way we would generate one more request to the oauth2 endpoint if the user session at the oauth2 provider is expired / the permission where revoked.
On the other hand, if the user is still authenticated, we don't need any additional requests + the user doesn't need to load all the css+js of the oauth2 endpoint.

10% popularity Vote Up Vote Down


Login to follow query

More posts by @Connie744

0 Comments

Sorted by latest first Latest Oldest Best

Back to top | Use Dark Theme