I’m building an application which requires users to confirm their identity before being able to do actions on the back-end. I’m using the authorization code grant flow, giving my backend their access token. Would it be safe to send the access token back to the client after they logged in, to use the access token in the following requests to confirm their identity?
I feel like I’m missing something, since it’s the first time I’m really working with OAuth. Thanks for your help!
Sure it’s the users own token.
But normally you would use sessions so the only thing you send to the user is a sessionID.
And when the user loads a webpage the session is loaded from the session store and that will have their Twitch Access Token attached to it.
Uses NodeJS with Express and Express sessions to manage access to server side resources.
So I don’t send the users token back to the user, I only send them a sessionID
Thank you, this is exactly what I have been looking for!