User token validation without access token

Re: ** A reminder to validate access tokens when using OAuth2**

We have a significant number of users who have already authenticated via Twitch.
We are using the owin.security.providers.twitch NuGet package to authenticate users but historically we haven’t stored the accesstoken.
I have changed that so the token is now stored per user. After a couple of hours i can then use that access token to check the validity of the token and log the user out if the user’s token is not longer valid.
That all works as expected.

What is the suggestion to deal with users who have already authenticated?
I don’t have an access token for them so have not way to validate the token.
Can I get their access token?
Should they be invalidated?

For users that have already logged in prior to you storing their access token, you can invalidate their session and force them to go back through the authentication process. If they haven’t disconnected your app from their Twitch account, the authentication flow can be almost transparent to the user, which is why there are a lot of sites that use a short session length and just send the user back through the login flow each time as an easy method of token validation.

Thank you for the rapid reply.

We authenticate by

var opt = new TwitchAuthenticationOptions()
{
ClientId = ########,
ClientSecret = ########,
Provider = new TwitchAuthenticationProvider()
{
OnAuthenticated = async z =>
{
z.Identity.AddClaim(new Claim(“TwitchId”, z.User.GetValue(“_id”).ToString()));
z.Identity.AddClaim(new Claim(“TwitchEmail”, z.User.GetValue(“email”).ToString()));
z.Identity.AddClaim(new Claim(“TwitchUsername”, z.User.GetValue(“name”).ToString()));
z.Identity.AddClaim(new Claim(“TwitchLogo”, z.User.GetValue(“logo”).ToString()));
z.Identity.AddClaim(new Claim(“TwitchAccessToken”, z.AccessToken));
}
},
};
What is the procedure for invalidating a session so that we reauthenticate?
Thanks

Invalidating a session depends entirely on what web service you use and what module for handling sessions, you need to be able to find where the session data is stored and set all session to expired (or depending on how you handle sessions, simply deleting them may work). Without a valid session with the server, the client should be set through the authentication process again.

Thanks for the reply.
I can abandon the session and sign a user out if they don’t have an access token stored.
However I’d rather they were directed to the twitch authentication in this scenario so they immediately were prompted to authenticate. I’m unsure how to prompt the authentication outside of the startup though.
It’s straight forward to do the authentication on startup as per the above code.

Depends entirely on what sort of app you’re running. If it’s a webapp you can set it so that regardless of what page the user requests, if their session is invalid just redirect them to the Twitch auth page. you can even use the state param so that after logging in (which can be automatic if they’re still connected) be sent right back to the page they was originally trying to get to.

If you aren’t developing a webapp, and are using some other program, then there must be some way for the client to know that their session is invalid and that they need to log in again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.