❔ One OAUTH2 token, multiple users. Good practices, security.
I'm consuming different REST APIs with my credentials to serve my users through my application, but on every Get access of theirs, I generate a token from the APIs, and then drop it.
Would you use a cache (or MSAL) to keep reusing these tokens, or it's fine to request and drop tokens on every request?
I'm using Graph SDK, and for the other azure APIs I'm querying using HttpClient, since the azure SDK isn't properly documented for the services I'm consuming.
6 Replies
Every api I used requires the token on every non publibly accessible request
You can't be sure if two requests coming from the same ip are from the same user or if the user hasn't signed out
Sorry, I might not have explained it properly
I'm consuming all the APIs with my credentials on my 'machine'
Then I just forward the data to the users through other means
But every time they ask me to fetch data, I get a new token, then delete it
Is it bad practice to cache tokens?
(to do what I'm doing)
So a middle man to the api
yup
If it's a private network with users you trust then it's fine
But will cause issues the moment a different user signs in on the same machien
Unless you have the sign in send a request to change the token for that machine
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.