I am looking to implement SSO in all my future php/angular applications. I see there are services (Auth0, oauth.io, etc) that are sort of the middle man of an SSO app and there are protocols such as OAuth 1.0/2.0 but in regards to creating a custom SSO solution (using aforementioned OAuth protocols, I assume), I am a little foggy on the complete flow of the process.

What I do get:

• App gets Access Token
• (optional) App validates Access Token
• App (with Access Token) gets access to a particular API and returns result. For example, Facebook profile information.

What I don't get:

What to do with that information once I have it. Do I retain the access token and request information from the API source each time they login? How do I relate my own application data to the API data? Would I create a different kind of user record that just contains the access token and application's userid?

Do I retain the access token and request information from the API source each time they login?

If the token does not expire, you can hold on to it in a data store and use it with each request. Many times, though, the token will expire, and you need to request a new one each time you start a session. In this case you'd probably store the token in memory instead of a permanent storage location.

How do I relate my own application data to the API data?

I think we'd need to know a little more about your application to answer this question.

Would I create a different kind of user record that just contains the access token and application's userid?

Again, we'd probably need a little more information about your application. If you were persisting the token (in the case that it doesn't expire), then you need to make some considerations about how you want to store it. If not, you can probably just put it into a local variable or session.