OAuth2: Storing temp values in session vs database
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary values like state and the redirect uri that are only required during the OAuth process. Does it make sense to use a db for those? I don't know sessions well enough to know if it is guaranteed to keep the same session during a response.redirect. It seems possible the browser submits the redirect request and the load balancer sends the request to a different server than where we started, in which case the session data won't be there and we'll need the database to get state, etc. I've read a lot of articles and questions on this topic but they don't quite answer me.
Edit: The OAuth flow:
- Client (browser) tries to access webapp resource (eg. /resource)
- Webapp sends redirect back to browser and browser redirects to OAuth authorization server to retrieve authorization code
- OAuth server tells browser to redirect back to the webapp with code
- Webapp exchanges auth code for token
- ... more stuff
In step 2, the webapp needs to save a random "state" string and the original uri the client wanted to access (/resource). The state is included in the redirect to the authorization server. In step 3, the auth server includes the state value in the request to the webapp. The webapp verifies the state is the same one it saved in step 2. After all these steps complete, the webapp finally serves the originally requested resource (/resource). I am wondering how state and original resource / uri are saved in a typical oauth flow. These are only needed during the authentication.
