Reputation: 87
any best practices for storing and accessing oAuth access_token?
Considering the user has helped me to generate an access token and other stuff(refresh token/instance-url) in my application.Every time I do a job for the user I have to use this token and communicate with his application.
What are the best practices to store these access token with userId information?
Also any best practices to minimize the db calls for each request to the user's application?
The questions asks at the database design level inputs.
Upvotes: 1
Views: 247
Answers (1)
Reputation: 11
If you are mostly focusing on modern browser versions, you could use HTML5 session storage (i.e. sessionStorage) to store your access token. Session storage is better than local storage (i.e. localStorage) from a security standpoint. See more information here:
OWASP HTML5 Security Cheat Sheet
and here:
Introduction to sessionStorage
Be aware, though, of some of the limitations per browser version regarding how well session storage is cleared or deleted when you keep the tab or window open.
As far as minimizing calls to the database, you have to weigh how much you want to store on the client side (size) versus staleness of data (cache) versus the likelihood of keeping sensitive data on the client too long (security). You may also look at HTML5 local storage or client-side databases
@RobertHurlbut
Upvotes: 1
Related Questions
- Oauth2: best practice to keep access_token fresh?
- How should I store OAuth with my own authentication system?
- How to store access token? (Oauth 2, Auth code flow)
- OAuth 2.0 where to securely store access token for long term use
- Best practices for handling access tokens and scopes for OAuth2 implementation?
- OAuth: what information should I store in tokens
- As an OAuth Server, how should I be generating and storing OAuth 2.0 Tokens?
- Designing (OAuth2) access token
- Guidance on retaining OAuth access tokens
- Correct way to safely store token/secret/etc from OAuth?