On Nov 30, 3:54 am, rob ganly <[email protected]> wrote: > hi all, > > what is the normal way of checking if a user is already logged into > the oauth service provider site? > > so for example when my consumer redirects the user to the service > provider site i need to check if the user is already logged into that > site or not, and obviously if they're not, display the login box, and > if they are just display the access/deny permissions page. would this > normally be done with a cookie or session check?
You can use whatever mechanism you usually use to authenticate a user on pages that require it (such as a cookie or session check). That said, many people consider it a good practice to require re- authentication when approving a token, even if there is a valid login session already. This helps to prevent people from gaining access to sites on public computers where someone forgot to log out, for example. > lastly, just to double check, if i want to check if the user has > previously been granted access should i just check for the existence > of a previously-assigned access token, and if so do i need to assign > them a new one? Ordinarily, a consumer that already has an access token won't ask for another one unless it loses it for some reason. However in the case of something like a desktop client app, you might have multiple, independent instances sharing the same consumer info. I think it would be best to require re-authorization from the user and assign a new token. Cheers, -- Tim -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
