Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How important is it to keep OAuth's access token secret?

Once I receive my access token for a site (say facebook) using OAuth, how important is it to keep this secret? Could anything malicious happen if someone got a hold of one?

I was wondering if it would be a bad idea to save the token in a cookie or session.

like image 853
Brad Barrows Avatar asked Oct 31 '10 23:10

Brad Barrows


2 Answers

Yes, the access token is equivalent to your username/password. Most implementations will expire the access token after a time but while it is still valid it must be kept a secret.

like image 82
Josh Avatar answered Nov 01 '22 19:11

Josh


Update: if you are having the user connect with the javascript sdk, the user id and access tokens are already be stored in cookies for your site. Check the http cookies being sent. If they are not, check the FB.Init documentation, as FB.Init has a cookies boolean parameter you can set so that it will create a cookie for you named fbs_{APPID}. This post talks about that cookie.

like image 22
bkaid Avatar answered Nov 01 '22 18:11

bkaid