Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

uptiie's avatar

Using multiple oauth2 accounts for a single user?

I've been researching this for about 8 months and I can't seem to get google or really anywhere to give me a good idea on how I should tackle this.

So far my MVP would allow a single user to connect a third-party account to their Laravel user account. I have got this one checked off for using socialite. Now if I would like to access more data than basic name/email/simple data I would have to make a custom provider in socialite, again this is on Laracasts so I can do that.

Now the tricky part that I can't seem to figure out is how to allow my user to connect multiple logins from the same app i.e my user can connect multiple Spotify accounts to their Laravel account but maybe I also want to get the users songs from their Pandora and SoundCloud accounts as well.

How I think I should go about this is creating a new table for login credentials, but I'm not sure if I'm supposed to save the refresh token or something else, all I know is I need to save those credentials in a table so that way the Laravel user can access all their Spotify accounts without having to re-authorize my Laravel app again.

So far my data structure looks like this:

authorizedCredentials -> platformAccount -> platform -> User

A platform can have multiple platform-accounts and then that platform-account will have a name and a saved refresh/token in the database(I'll make sure to secure these with multi-tenant ids).

I'm still trying to figure out what keys I need to be saving and what logic would be used to access their Spotify account every time the user opens the Laravel app. I have read up on Oauth2 and it looks like there are multiple grant types and then I can get an access token and then a refresh token but does Socialite accept refresh tokens? Or would I need to make some more custom logic for that?

Also a lot of API platforms have some sort of SDK for php. Would it be better in terms of simplicity to just use their SDK or should I just go about using their API? I personally think that the code would be easier for me to understand if I just bind their API with my own models for better organization.

This is a big personal project for me, I want to be able to understand this and I most definitely want it on my resume.

0 likes
2 replies
martinbean's avatar

@uptiie You seem to be overcomplicating things. OAuth is an authorisation protocol to allow other services to act as another user. It does this through access tokens. So when you “sign in” with Facebook, you get an access token for your account on Facebook. When you “sign in” with Twitter, you get an access token for your account on Twitter. When you “sign in” with Spotify, you’ll get an access token for your account on Spotify.

If a user can connect multiple accounts to their account on your service, then you’ll need to save these access tokens issued with these third-party websites in a table somewhere. A table called access_tokens is perfectly fine that has a foreign key pointing to the user who owns the token, then columns for data like the access token value, refresh token if one was provided, when the refresh token expires, and a “name” for the account if that’s what your application requires. You’ll then use the access tokens issued by third parties (such as Spotify) to authenticate as that user when using Spotify’s API to retrieve tracks or whatever. Same deal with Pandora.

You’ll need to store any refresh tokens you receive as well. Reason being, OAuth 2 access tokens usually have an expiry date. So if the access token expires, you’ll no longer be able to make API requests with it. So your users will be annoyed if after a month or so your service stops working. So you use the refresh token to get a fresh access before the access token expires. If the access token expires, so does the corresponding refresh token. So you won’t be able to refresh an access token after it has expired. The simplest way to do this would be to have a scheduled task that checks for any access tokens expiring in say, the next three days, and dispatch queue jobs to refresh them. For any that you can’t refresh (i.e. the user’s revoked the token, de-authorized the app, etc) you can send them a notification saying their account’s been disconnected and prompting them to re-connect.

1 like
uptiie's avatar

I can't describe how helpful this was, I've been overcomplicating this so much. So to clarify, I don't have to attach anything besides the user->access_token and then I just send the API request?

Please or to participate in this conversation.