Menu

Navigation

Where should OAuth tokens be stored?

Posted on by Arif Clayton

Where should OAuth tokens be stored?

3 Answers. The client, in OAuth terminology, is the component that makes requests to the resource server, in your case, the client is the server of a web application (NOT the browser). Therefore, the access token should be stored on the web application server only.

Should you store OAuth tokens?

I would recommend storing tokens if you ever might reach your max lease on tokens in the application you are using. However, rather than the database, I would suggest using Redis.

How do you store authentication tokens?

To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that’s only sent in HTTP requests to the server. It’s never accessible (both for reading or writing) from JavaScript running in the browser.

How do I protect my OAuth tokens?

In short, to keep OAuth secure you should consider 5 following steps which I describe in more detail later in the article:

  1. Use OpenID Connect for authentication.
  2. Choose correct grant type.
  3. Harden delivery of the access token.
  4. Store the access token in safe place.
  5. Configure the access token securely.

How do I persist access token?

Most guidelines, while advising against storing access tokens in the session or local storage, recommend the use of session cookies. However, we can use session cookies only with the domain that sets the cookie. Another popular suggestion is to store access tokens in the browser’s memory.

Do you need to encrypt access tokens?

If you believe you can protect the encryption key better than the database storage/access, e.g. by using an HSM or secure file storage, then it makes sense to encrypt the token with such a key before storing it.

Where do you store tokens?

We strongly recommend that you store your tokens in local storage/session storage or a cookie.

How long should OAuth tokens last?

By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year.

How do I keep my refresh token?

If you worry about long-living Refresh Token. You can skip storing it and not use it at all. Just keep Access Token in memory and do silent sign-in when Access Token expires. Don’t use Implicit flow because it’s obsolete.

Should we store token in database?

4 Answers. If you are using a Token base Authentication as described in the linked/mentioned web page there is no necessarity to store the token in a database.

How can I get OAuth access token?

Steps to Generate OAuth Token

  1. Step 1: Registering a Client.
  2. Step 2: Making the Authorization Request.
  3. Step 3: Generating Tokens.
  4. Step 4: Refreshing your Access Tokens.