Reputation: 1713
How important is it to keep OAuth's access token secret?
Once I receive my access token for a site (say facebook) using OAuth, how important is it to keep this secret? Could anything malicious happen if someone got a hold of one?
I was wondering if it would be a bad idea to save the token in a cookie or session.
Upvotes: 13
Views: 3912
Answers (2)
Reputation: 2952
Yes, the access token is equivalent to your username/password. Most implementations will expire the access token after a time but while it is still valid it must be kept a secret.
Upvotes: 5
Reputation: 52083
Update: if you are having the user connect with the javascript sdk, the user id and access tokens are already be stored in cookies for your site. Check the http cookies being sent. If they are not, check the FB.Init documentation, as FB.Init has a cookies boolean parameter you can set so that it will create a cookie for you named fbs_{APPID}. This post talks about that cookie.
Upvotes: 4
Related Questions
- OAuth clarification
- Should I reuse OAuth 2.0 access tokens?
- How does a short-lived Access Token add security?
- Are OAuth Access Tokens confidential?
- OAuth2.0 Concept
- Do I not need to secure my API endpoints (resources) with OAuth 2 access tokens?
- What's so secret about the OAuth secret?
- Understanding the need of client id, client secret in oauth 2.0
- Why does OAuth provide both an access token and an access token secret? Why not just a single value?
- OAuth: what information should I store in tokens