Tokens saved on auth_identities table

[kairiex2]

I Have a few questions

1. Each time a token generated, it is saved in database ("auth_identities" table). What is the purpose if token is a stateless way to authenticate request (also has authorization data)?
2. If the concept of token in shield is hybrid of stateful and stateless, then what is the use of "extra" field on "auth_identities" table which store that user permission, as the token's user_id is the same user on "users" table which already has it's groups/permissions authorization?

[lonnieezell]

You can ignore the extra field 9/10 times. It's there in case the authorization library needs to save a bit of other information to work correctly.

Authorization tokens are long lived identifiers that serve a different use case then session based authorization, and can have a different set of permissions tied to it.

The best way to look at is like GitHub. When you log into GitHub you are using a session-based authorization. But when you want to use their API you need to generate a Personal Access Token. The token can be regenerated at any time without affecting your ability to log into the system.

[kairiex2]

Thanks @lonnieezell. I'm starting to get for what scenario to use access token for. Can i ask what is the best practice when giving access token?
If user request for access token, shield automatically saved it to database, then what if that user request again for as much as he want (intentionally or unintentionally). Isn't auth_identities table full of that same user access tokens? Or should i implement a checked method to delete old access tokens first before generating new one. If it's the later, can't shield implement it like as one of it's config? Or if it's not the later, what purpose is to store so many access tokens potentially from the same user and same scenario it's needed for.

[lonnieezell]

Depends on how you want it in your app. I've seen it both ways. If it were me my default would be to only allow a single token at any given time. So when a new one was regenerated it would delete the old one.

However, there are some cases where your business needs would require more than one. I'd default to just one unless you have a defined reason to do otherwise, though.

[kairiex2]

Thank you @lonnieezell