OAuth2 "Stay Logged In", etc

I nearly finished my new service and I am trying to enhance the UX by giving the chance to Sign Up with Twitch, Google+, Facebook, etc.

The Authentication (obtaining access token and getting email address, etc.) is already finished, but I have never used OAuth2 that deep, so I am having some questions:

How should I handle the “Sign In With Twitch” action?
I thought of just obtaining the users Email and save this to my DB.

What should I save in myDB?
Which data should I save to the new user document in my DB?

  • access_token (which expires) (=> only need It once a time when the app requests the users email…)
  • refresh_token
  • Twitch User ID?

How can a User re-login with the Twitch Account?
What is the best way to let a user login a second time?
Do I have to request a new access token via https://api.twitch.tv/kraken/oauth2/authorize ?

What is the best way to let the user stay signed in?
Should I set an expiration date after a User signed up with Twitch?
Which data can be stored client-side in Cookies? My own generated UserId as every User (who singed up the “normal” way with Email/Password)?
How can I check if a User did not manipulate hiw client-side data?

I would be really thankful if somebody could give me a bnuch of answers to my questions!

so when you use the access token, and are given a code, that code is valid until they use the app on a different device where it has to re-authenticate. if that is the case, use the refresh token with https://github.com/justintv/Twitch-API/wiki/Password-Credentials-Grant to get a new access_token. If that fails, then you will need them reauthorize through the api, however keep in mind the refresh_token is always the same, even after deactivating/reactivating the program.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.