Menu
I'm developing a client as a UWP. I can handle the oauth login without problems but I'm not really sure where should i save the oauth access_token for the users. Is the ApplicationData.LocalSettings a secure place to store this type of information?
580
The safest way to store your access token is to simply not store it client-side at all. How does that work? Well at the point of generating the access token, generate some other cryptographically secure PRNG (which you map to the access token on the server), map this to the users session ID and return this to the client instead.
Well you can secure you access token by following two options. Use save your access token into android keystore that would not be reverse. Use NDK function with some calculation that save your token and NDK with c++ code that is very hard to reverse.
A more common pattern to store Access Tokens is manually saving them to cookies from your client code. While this still isn't very secure it's much better than localStorage. In fact, it has some actual applications that httpOnly doesn't cover. Cookies are still easy to access, but...
Access tokens are a hugely important part of any web-app. They contain sensitive information about your user and if someone got their hands on one they would be able to pretend to be someone else very easily.
The Windows Runtime provides the PasswordVault class to securely store credentials.
https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordvault.aspx
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
