Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth: Storing Access Token and Secret

We have a number of clients that use our API to power their websites.

I have started a conversation at work about using OAuth to make authenticated API Calls. We will have both, two and three legged flows.

For the 3-legged flow, we still have not come to a consensus on how to store the access token and secret.

The common approach to this problem would be to have the clients store the access token and secret in their own DB, but that is out of the question as the clients don't want to deal with code changes and implementation issues.

The other options we are considering:

1) Saving the access token and secret in a cookie

2) Saving them in the session.

I'm not sure whether either of these is a good idea. Does anyone have any suggestions?

Thank you.

like image 408
Onema Avatar asked Jul 19 '10 19:07

Onema


People also ask

How do I store OAuth access token?

Browser in-memory scenarios. Auth0 recommends storing tokens in browser memory as the most secure option. Using Web Workers to handle the transmission and storage of tokens is the best way to protect the tokens, as Web Workers run in a separate global scope than the rest of the application.

Where should access tokens be stored?

The usual practice is to store access tokens in the browser's session storage or local storage. This is because we need to persist access tokens across page reloads, to prevent the need to re-authenticate on every reload. This provides a better user experience.

Where should I store access token and refresh token?

If your application uses refresh token rotation, it can now store it in local storage or browser memory. You can use a service like Auth0 that supports token rotation.

Should a bearer token be kept secret?

Here are some basic considerations to keep in mind when using tokens: Keep it secret. Keep it safe: The signing key should be treated like any other credential and revealed only to services that need it. Do not add sensitive data to the payload: Tokens are signed to protect against manipulation and are easily decoded.


2 Answers

I'm assuming you're talking about the typical "Service Provider," "Consumer" and "User" type of setup. I don't know if you will be able to implement three-legged oAuth if your Consumers (client) refuse to make any changes.

The session and cookies would work for saving tokens, but the problem is that it's your Consumer (your clients) that needs to be saving them - not you. The calls to your API are happening on the back-end and so there is no real session or cookie available within that scope. If you are only making JavaScript calls, perhaps that does work but even then usually the calls are being made through a proxy in order to not have cross-domain scripting issues.

In either case, if the tokens are stored in the session or cookies, they will be "temporary" keys and the User will have to re-authenticate when the session or cookies expire. But there is nothing wrong with that as far as the oAuth spec goes - as long as the Users don't mind re-authenticating.

You can refer Sample app for .NET written using MVC 5 Razor engine

like image 84
Jason Avatar answered Sep 29 '22 13:09

Jason


as Jason mentioned it's not possible for the consumer application to make authenticated requests if they don't store the tokens needed for the authentication - they can store them in whatever way they want but this is a needed part of the equation. It can be a filesystem, memcache, database, memory.

The only way I see to use cookies for storing these is for the consumer application to set these token credential as a cookie in the user's browser and the user to send them back to the consumer with every request - however this seems absurd as first, the consumer application again will need to make changes in their code to handle this, and second, the token and token secret keys will redundantly fly around the net and the user's browser which can be a security hole if the user himself decide to do hacking.

like image 37
luben Avatar answered Sep 29 '22 13:09

luben