PHP Console Application with OAuth 2.0 Refresh Tokens, how to store?

1
votes

I am working on a PHP project that utilizes the API from a few services. For a single API, it uses OAuth 2.0 authorization to authenticate the application's API access. However, I am unsure how I should approach the process to authenticate a local console application.

I would not be using a webflow to authenticate the API, as my PHP script runs in a local console. The API allows for the retrieving of the access token and refresh token by entering my username and password (they recommend this only for console applications).

Once I get the access token, I may use it to make API requests. This works fine. However, I am unsure what to do with my refresh token. The API consumes refresh tokens as such:

/oauth2/access_token/ (Refresh token usage)

Context: Client's Web Server

Required arguments: refresh_token, grant_type=refresh_token, client_id, client_secret

Access token scope: None

On success, a JSON response is returned to the client:

{
  "access_token": a valid access token,
  "scope": scope as given in authorize,
  "expires_in": seconds to expiry,
  "refresh_token": a token that can be used to get a new access token
}

Consuming a refresh token will immediately expire the related access token. Refresh tokens are single-use. A new refresh token is returned from this call, ready for consumption later.

From what I gather from this, my authentication process should be something like this:

  1. Initial authentication - pass username/password via environment variable, get the access/refresh token from response
  2. Store the refresh token? Check for the expiry of the initial access token
  3. If initial access token has expired, pull refresh token from file and make a request for a new access/refresh token
  4. Store new refresh token?

Does this sound like the correct authentication flow? Is there a specific way I should be storing the refresh token? I am aware there may be a lot of security concerns for simply storing the refresh token in a text file, as it has the ability to give complete access to my account. Are there any better alternatives?

Thanks!

1
phpauthenticationoauthoauth-2.0access-token

1 Answers

2
votes

Authentication flow is fine. For more detailing and validation, you can read https://tools.ietf.org/html/rfc6749 .

You can store ‘Refresh token’ either in file or db using encryption key and this MUST only be transmitted using TLS. ‘Refresh token’ is used in senerios where server do want to some scheduled background activities like accessing of profile and related data from other oAuth server based on previous stored access token without asking user name and password again over and again. If in case ‘Access token’ is invalidated then ‘Refresh token’ will be used to get new ‘Access token’ to serve purpose.