Hello,

I am using the authorization code grant because I want to build a trusted client to manage my users clients, tokens etc. In my client i build the authorization url and then I present a login form to the user. Upon successful login, If the client is trusted I do not show the authorization dialog. Then I make a request from the client to the token endpoint with the authorization code and I get the access and refresh tokens.

The flow goes like this:

1. LocalStrategy
2. Grant authorization code
3. Client Password strategy
4. Exchange authorization code for access token and refresh token

At the auth-server in my index.js I have:

app.use(session({
saveUninitialized : true,
resave : true,
secret : config.session.secret,
store : rdbStore,
key : 'authorization.sid',
cookie : { maxAge: config.session.maxAge, secure: true }
}));

and all sessions are stored in the RethinkDB

Also the authorization.sid is in the cookie at the client side.

At the client after I receive the tokens the req object does not contain either req.session or req.user.

I want to be able to determine if user is logged in at the client-side.

I know it may sound silly because I since I have the tokens I must have logged in.

I am knew to this oauth2 stuff and I would like to know what is the best way to determine if a user is logged in at the client side when using authorization code grant?

Thank you

Per the new issue template, this conversation should move to the discussion forum. Closing.