Search code examples
androidsecurityoauthfacebook-authenticationgoogle-authentication

Any OAuth2 providers other than Google that offer access token validation without an extra server call?


I'm developing a mobile app that has to talk to it's own custom back-end API. I would prefer to not roll my own authentication and account management, I would rather use Oauth2 from an existing provider.

Google allows you to validate Google generated Oauth tokens server side without needing to call Google's servers. This is important, since I'll be authenticating each request separately. If the server needed to call an external service to verify a token each time, the service will be slower and harder to scale. Google mentions how to verify their tokens in this section: Validating Tokens .Except for the need to refresh Google's certs roughly once a day, you can validate a Google generated OAuth token on your own server alone.

My question is, are there other OAuth providers that don't require an extra call to validate a token? It appears for both Facebook and Twitter you need to call their server to validate a token. Since these tokens have an expiration time, is it considered a good practice to call an external service to validate this token, and cache this result for the duration of the token's validity? If this is a good practice I could perhaps consider these services in addition to Google's OAuth.


Solution

  • I don't know of any other major services that are signing tokens in the way Google does. I suspect (and hope) it will become more common over time.

    As far as Facebook and Twitter go, you do have to validate the token with their API, since they are authoritative for issuing it. One thing you can do, to avoid constantly making requests to their API, is to issue your own token that the device will use when talking to your API.

    It might look like this:

    POST /login?access_token=twitter_token -> contact Twitter's API -> issue and return your own token

    POST /api/foo?access_token=your_api_token

    With that in place, there is only one call to an external validation service. The rest of the API calls use tokens which you can validate using your own database.