I think I am too stupid for OAuth2. How do I handle this scenario: User deletes his account at the OAuth Provider. Lets say my own, Google, Microsoft, whaever. How do I handle data associated with the user then? I have some data which can be deleted then as it is not needed anymore.

Or is this not possible by design? If yes, this a perfect example on how to waste resources...

Let's take google for example.

Oauth2 let's you access the particular service without your account details, this is why we use oauth2 after all, but those client and secret keys are tied back to your account anyway so that the service actually knows who you are.

So having something in place that's identifiable, like an email, phone number or some other item would close the loop.

@C0D4 I am building a monitoring api. Users can log in using their account provided by an oauth2 server. Users can subscribe to status changes. Then e.g. their email address and some subscription information is saved. When the user gets deleted or deletes his account himself, I also want the emails to stop notifying the user.

Open for different solutions tho

@hypervtechnics can't you use the refresh tokens to achieve this?

When the original Auth expires, run a refresh call and if it fails, deactivate the account or disable emails for your monitor or both at different times and notify the user that they need to login to continue using your service.

Don't feel bad. OAuth2 is a mess.

@C0D4 This is actually a good solution. But isn't it kind of weird (no better word) to save the token on the server side?

@hypervtechnics yes, storing these tokens isn't a great idea in general, but your requirements to access the users account details after an Oauth has expired doesn't leave a lot of room for better ideas.

I would certainly treat those tokens as risky data and encrypt them if you're going to store them.

@C0D4 Would be nice if there is some kind of webhook :D But if its the only option to do so I will do it.

Sadly this is not handled in the specs...

@shakur Currently chose OIDC. Worked around the scenario from post above. Thank you :) Will look into it. Also thank you for the ++ ;)