• caglararli@hotmail.com
  • 05386281520

OAuth 2.0 Resource Owner Password Grant – Handling of Access Token Upon Logging Out

Çağlar Arlı      -    23 Views

OAuth 2.0 Resource Owner Password Grant – Handling of Access Token Upon Logging Out

I am new to OAuth 2.0. I used BShaffer's OAuth PHP Server on Authorization Code Grant, and I understand that the client application can have its OAuth token separate from its session authentication, that is, if a user logs out, the access token is not revoked, and the refresh token is used to get new access token upon expiry.

I am building a trusted application using an API with OAuth User Credential (or Resource Owner) Grant. My questions are:

  1. Since I am in OAuth User Credential Grant, should OAuth hold all the user credentials and solely be the user authentication layer (which would act like an SSO layer)?
  2. With that, can I use an OAuth token as a session token?
  3. Upon logging out of the client application, should I revoke the OAuth token?