Ive gone around stackoverflow and found alot of posts about handling access token and how to store them. Some answers mention to not do X then others metion to do X, its getting very confusing. My goal is to log a user in through their account from another site using Oauth2.
Currently I am using passport.js to get the users refresh token, access token and their user id. I am storing the refresh token and user id in a session on a database. The problem im having is deciding where to store the access token and if I should store it at all. These are the current ideas that I have:
- Store the access token in the session on the database, check if it has expired before each API request.
- Store the access token in a cookie, check if it has expired before each API request.
- Dont store the access token at all and each time I require the users data, request a new access token from the refresh token I have stored
