I'm currently using "lucadegasperi/oauth2-server-laravel".
I'm making an api endpoint for a 3rd party trusted client and using the client_credentials grant.
now the thing is that access tokens tend to expire, so instead of giving the 3rd party user a access token, i would just supply them with the client id/secret.
on my side i would do the following when they do a curl request...
SELECT a.id,
expire_time
FROM oauth_clients as c
left join oauth_sessions as s on s.client_id = c.id
left join oauth_access_tokens as a on a.session_id = s.id
where c.id = 'asfasasf'
and c.secret = 'asfasfasfasf'
order by s.id desc
limit 1;
... The above pretty much checks if there is an access token and expire time relating to the client id/secret. I'd pretty much just generate a new one if one didn't exist or if it expired. Then a couple lines down, do a curl on my side to the endpoint they were after with the given access_token on my side without them worrying about doing it.
I've tested it and it works, but is this kind of dodgy/bad to do?
tldr;
- 3rd party client - goes to /api/endpoint with client id/secret
- my server side (checks for access token in db relating to client id/secret)
- generates if does not exists or is expired to use ...
- 3rd party client endpoint api continues to use db selected access token
- works
Is that a bad flow?