Are you still working on this?
I’ve done a bit of reading, but I’m not certain about what the “token” actually is. Is it user-specific? response-specific?
I plan to store that information in a database but I think I should also store something in a session so that they stay logged in.
If you want to keep the user “logged in,” just give them your own token once you’ve authenticated them. Keep it in the session, or set a cookie if you want it to persist longer.
But what if they’re logged out (for whatever reason), I already have their credentials stored in a database and they want to log back in?
Well, the whole point of OpAuth is that the user doesn’t log in with you; they log in with someone else. Now, if the “token” you refer to is user-specific (doesn’t change), then when a user logs in again you could use it to recognize them (and use the existing user info, instead of creating a “new” account).
Dunno if that answers your question.