-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password Grant - allow multiple sessions per user #32
Comments
In #25 I proposed a similar change for the deleteSession method: "differ between the owner type to delete only expired sessions when the Client Credentials Grant is used." Perhaps this needs to be done for all grant types? I couldn't find anything in the RFC that doesn't allow this behavior. This is already possible and depends on your implementation of the Session Storage, but should be default I think. |
Is there a reason not to do this in the Auth Code and Implicit grants as well? |
I think @jacobweber is correct here, this should be removed for all grant types. Basic example: you have an android application, it uses a certain client id. If a user has a mobile phone and a tablet he would be unable to login to both devices unless they use different client ids. This is a common thing I would think, even having 2 android mobile phones is not entierly unheard of. As it is today, if you login to one device your tokens for the other would be removed. Some way to clear old sessions are necessary though, but it would need to make sure there are no valid tokens associated with them first as stated by @michaelhogg above. For myself I would write a cronjob to clear these, but it might be a good idea to have this functionality available in the repository in some way. |
Followup on @jacobweber and @jfse comment. Re: skip deleteSession in AuthCode Re: cleanup old session |
Firstly I wanted to thank you for your awesome library @alexbilbie :)
For the Password Grant, why are existing sessions deleted when the new session is created?
The Password Grant is often used for first-party "official" mobile apps. A user may wish to install such an app on two devices (eg: an iPhone and an iPod touch) and stay signed in on both of them.
With the existing functionality in the Password Grant, when the user signs in on their second device,
deleteSession()
will delete their first session from theoauth_sessions
table, effectively signing them out from their first device.If the call to
deleteSession()
was removed, thenoauth_sessions
could contain an unlimited number of sessions per user, enabling a user to stay signed in on an unlimited number of devices. Sessions can be deleted fromoauth_sessions
when:access_token_expires
, oraccess_token_expires
(it's very unlikely that the refresh token will be used a year after the access token has expired).This is similar to Issue #25. The difference is:
The text was updated successfully, but these errors were encountered: