Reputation: 7362
oauth_token and oauth_token_secret in a jwt
quick question - using twitter's oauth, I'm given an oauth_token and oauth_token_secret to validate users.
I know I can store this encrpyted in a database for safekeeping, but is it a bad idea to simply sick them in an encrpted jwt (jwe)?
Thanks
Upvotes: 0
Views: 253
Answers (1)
Reputation: 819
Secret should be kept secret.
You will use the token to make api calls on behalf of the user. Keeping this in mind, it's ok to store the token in a jwt (but probably not the best practice), but definitely not ok to store the secret.
A possibly better pattern would be to store the token and secret in your user's model and refer to that user by storing the user's id in your jwt. Since you'll be sending the jwt with every request, you can decode the jwt, get the user's id and look up the user's model and make calls from there.
Upvotes: 1
Related Questions
- How to decode jwt token in javascript without using a library?
- If you can decode JWT, how are they secure?
- JWT (JSON Web Token) automatic prolongation of expiration
- What are the main differences between JWT and OAuth authentication?
- What's the difference between OpenID and OAuth?
- How to Customize JWT token validation in oAuth 2.0 / owin?
- Twitter API Authentication Flow Misunderstanding
- Retrieving oauth_token and oauth_token_secret (RestSharp on Windows Phone)
- Sign in with Twitter, and stay signed in (PHP)