The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as many as 864,000 tokens in a day.
The Refresh token has a sliding window that is valid for 14 days and refresh token's validity is for 90 days.
The usual practice is to store access tokens in the browser's session storage or local storage. This is because we need to persist access tokens across page reloads, to prevent the need to re-authenticate on every reload.
Should access tokens for services like Twitter and Facebook be encrypted? In particular, should tokens be stored on the the device's Keychain vs. UserDefaults? What are some possible security issues that could arise if a user's device is stolen/taken
This is what I have come up with so far.
Pros of Keychain: Encrypted
Cons: No way to clean up when user removed app
Pros of UserDefaults: Kept inside the app.
Cons: No encryption.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With