Securely storing user credential tokens

Question

I'm writing a service where users use OAuth to log into another service. The point of my service is to do some maintenance things for the user when they're not logged in. So, I need to keep their OAuth token stored so it can be used while the user is not logged in. If the user was logged in, I could use the user's password as an encryption key (asked for each time; the user's password is only stored as a hash) and store the token encrypted.

But as it is, I need the web service to be able to use those tokens when the user's not logged in. So, I'm considering storing them encrypted in the database (AES), but then the key to decrypt them will either need to be hard-coded into the application, or derived from something else (combination of user's name/email/hashed password), though the logic of that derivation would still be in the source.

Given that this will be written in PHP, which cant be compiled to obscure a secret key, what are my best options for making this as secure as possible? My source code has always had database credentials in it, which means someone could mess up that database if they could get at the source coe, but having OAuth tokens on hand means an intruder could mess up the user's data on OTHER sites as well, if mine is compromised, and I'd like to give my users as much assurance as possible that won't happen.

Answer 1

Part of the reason for using OAuth tokens in the first place is that they can be revoked. Protect the tokens like you would any other user-specific data, and that's plenty. If you have reason to believe that your user data is compromised at any specific point in the future, inform your users and ask them to revoke the token.