Reputation: 8161
Saved token security risk. Is token/refresh token safe?
With OAuth I can get an access token and keep in my DB(or use Refresh token and do the same). But isn't this a security risk? Becuase any internal developer can use this and access the data with out the client knowing about it. Earlier when we had passwords, since the password is hashed a developer could not use it.
eg: O365 mail access given by an app in the company. And developer reads the email of another employee.
Upvotes: 3
Views: 1245
Answers (2)
Reputation: 54008
If there is an internal security threat like this you can hash or encrypt the tokens before storing them, basically adopting the same approach that you would do for passwords. Of course this makes sense only when the developer has no access to the encryption key or hash key...
Upvotes: 1
Reputation: 23486
Access tokens are typically not stored in a database in OAuth.
Refresh tokens are, but when a client wants to use a refresh token, it also needs a client id and secret. The client secret is like a password, given to a client when it is registered with the authorization server and should be stored salted and hashed in the database.
So a rogue developer cannot just steal a refresh token from the database and use it to impersonate a client.
Upvotes: 2
Related Questions
- OAuth: Should an unexpired access token be revoked when it is refreshed?
- How to secure a refresh token?
- Refresh token and Access token in facebook API
- Security concerns about using Facebook implicit token for server side resource server OAuth2 authentication
- Is it safe to log facebook oauth access tokens?
- Do Facebook has a refresh token of OAuth?
- Facebook access token expire security
- renewing facebook oauth token BEFORE expiration
- Facebook - Security of Auth Token?
- Are we allowed to save the access token from Facebook OAuth?