Menu
We store access token in database, it is a random string, it is stored as it is, without encryption.
Is it must be encrypted? Is there some security risks?
320
OAuth access tokens and refresh tokens should be encrypted and stored in a secure database. Your application should use a strong encryption standard such as AES. The production encryption keys should not be accessible to database administrators, business analysts, developers, or anyone who does not need them.
It is best practice to encrypt these tokens in the database. If your database is compromised, an attacker could use the tokens to access any information or actions provided by the 3rd-party services.
Encryption alone is not a secure solution. Tokenization reduces data theft risk. Tokenization makes PCI compliance easier and more affordable. Implementation is critical to maximizing security and business flexibility.
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens.
It depends on the purpose of these tokens. Access Tokens usually are never stored. They are not random strings, but rather short-lived objects that are issued based on strict requirements (validation) and signed by HMAC and a secret key. All these are measures to make them secure.
If they are just random strings, they do not fulfill any of these measures.
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
