Replies: 1 comment
-
Hello @kaioker It seems like you're trying to implement a system where user information can be accessed even when the user is offline, and this information should be updated across all client services when changes are made. Tthe challenge here is to maintain this access even when the user is offline, and to ensure that any changes to the user information are reflected across all client services. One possible solution could be to use refresh tokens. In OAuth2 and OpenID Connect, when an access token expires, a refresh token can be used to obtain a new access token without the user's involvement. This could potentially allow you to maintain access to the user's information even when they are offline. However, it's important to note that the use of refresh tokens needs to be done securely and in a way that respects the user's granted scopes. Also, when a user revokes consent, the connection to the user information should be severed. As for how services like Google and Facebook do this, they likely have complex custom systems in place to manage user information and consent across multiple services. They may also use APIs to retrieve user information, although this would need to be done in a way that respects user consent and the principles of OAuth. Unfortunately, I dont know a solution to your specific problem. I would recommend looking into the official OAuth2 and OpenID Connect specifications, as well as the Ory Hydra documentation and possibly source code for more information on how to implement this. My Sources: |
Beta Was this translation helpful? Give feedback.
-
we need a way of accessing a user's scopes after the user has left the system, assuming they have consented to the use of their info while offline at the consent screen.
example usage: user A signs into a client website using oauth, granting scopes from the user database, and leaves a comment on user B's post.
user A then logs out. when user B opens their page, they should see user A's name and profile photo next to their comment.
as the user information is stored on the user database system, the client service needs a way to display user A's information to user B without user A being online.
overall there are three systems in play;
the user database contains information about the user such as name, email, and profile photo. each of these are available as scopes that can be granted to the multiple client services based on the consent provided at login through the oauth2 server
attempted solutions:
first we attempted to store the access and refresh tokens in a database, however if the user refreshed the token themselves the server stored access was invalidated, and if the server refreshed the token, the user was invalidated. users signing in from multiple devices got disconnected from all devices and the server.
second we tried to run the login flow twice. once for the user, and follow it with a second for the client. this resulted in lockouts as the second request nulls the first request's tokens, causing an infinite redirect loop.
third we tried logging in the user, storing the credentials, then abandoning the session and logging in again with a different session id. the ory hydra server detected this as replay abuse and locked all the tokens causing the same issues as before.
at this point we see only two remaining options:
preferred solution:
a way for the client to get the user information from the database without interrupting the access and refresh tokens the user is using to remain logged in. this needs to be done securely and respect the user's granted scopes. ideally this is also disconnected when the user rejects all outstanding tokens.
for example: user B has decided they no longer want to be associated with a particular client service and so rejects all active tokens for that client through the oauth server. this should sever the connection between the client service and the user information database, but leaves the connection to other client services that still have consent alive
are we going about this the wrong way? how do services like google and facebook do this? i have a google account and my profile picture is available on comments on youtube or wherever i have signed in using it, and it updates everywhere within a day if i change my profile pic or display name so it must be possible in some capacity.
Beta Was this translation helpful? Give feedback.
All reactions