Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I am currently developing Laravel Passport OAuth2 Single Sign On Application. Thus let say we have two system which is System A (SSO App) which contains login page, user management, client management and so on while System B (Client App) which could be any type of app that require authentication from System A.
Right now all the basic stuff such as, setup laravel and passport, pointing client app to oauth/authorize, oauth/token, oauth/refresh are also working as expected. However i just noticed that after a long time, even if System B keeps sending refresh token to System A, when i refresh System A after a long time, it logged me out. Then i try to refresh System B, it still sending refresh token.
Is there any reason to this? I'm sorry i do not know how to share my code since i don't know which part should i share.
Any help is appreciate.
EDITED: What i want is that when api(passport) session still not expired, then System A should not be expired as well.
@crimsonkid The session on System B is in no way tied to the token lifetimes in System A. The token can be revoked in System A any time before the session ends in System B, and a session can expire in System B any time before the token expires or is revoked in System A.
OAuth tokens (and tokens in token-based authentication) are stateless. Therefore you can’t (and shouldn’t) pin their lifetime to a stateful authentication mechanism like a session in a completely separate application.
Thanks for the reply @martinbean .. Your answer more like as what i have predicted. Well it can also means that i still didn't understand properly how token works. I should study more on that. I have looked into some tutorials and mostly they used laravel server sso to create token and so on using web auth session. That is why i thought that i need to use it as well in order to guard anyone try to access System A.
If i understand it correctly, should i instead put the modules such as user management and etc on other client app like System C ? Thus System A only provide the authentication & authorization purpose only. Then i can make all my client app have the same token lifetime something like that.
Also on System A there will be no more web auth session will be used instead only serve as passport api.
Am i right? If this is true then i can consider my question has been answered.
OAuth is just token-based authentication. You get a token at the point of authorisation. If you then use this token to authentication a user in your application, then the user is just logged into your application as if they had entered an email and password.
It‘s the same if you authenticate using Google or Facebook. You’d go through their OAuth flow and get a token. If you then use that token to look a user up in your app and log them in, then that user’s session is in no way tied to the token you got from Google or Facebook. If the token is revoked, the user will still be authenticated in your app. If the user logs out of your app, that doesn’t automatically expire or revoke the access token.
Please or to participate in this conversation.