I was looking for some advice as I am tipping my toes into the world of web development, the question might be broader than the title suggests, so any tip that may be in a different direction is also appreciated.
I am developing a web app to show a user their Spotify playlists and offer the option to recreate a playlist on YouTube. To use both of these APIs, I will be using OAuth2.0 Authorization Grant Flow and requesting the tokens through back channels. I am really interested only in the functionality at the moment, so I don't plan on persisting any user information or having any authentication in place.
But I still would like for a user to not need to authorize the app for every little action. Can sessions be used here if I don't have any authentication in place? For example, mapping a session ID to OAuth2.0 access and refresh tokens in the backend? Is this safe, or are there better alternatives for what I am trying to achieve here?
