Where to store OAuth tokens in a Django application

Question

I’m at the planning stage for an app I’d like to create using django. My idea for one aspect of the app is to hook in to a user’s outlook.com (or gmail.com etc...) account to create a calendar entry/event.

In order to do this I plan to leverage the OAuth framework which during the process issues both an access token and refresh token.

What is a method I can use to store this information safely in my app’s back-end so that it can be reused and users do not need to re-authorise every time my app interacts with the user’s account on the target server?

———————————————————————————————

I have read similar questions to this but all of the answers seem particularly vague, as if no-one is willing to advise on the issue.

1. I thought about just storing the tokens directly in the django session framework but a lot of sources I’ve read strongly advise against storing the tokens directly.

2. I have read about encryption-storage-decryption as an option to obfuscate the tokens but this seems pointless. If you are encrypting with the intention of scrambling the content of a database field, you are making the assumption that someone might access your database to read it. If that’s the case surely a malevolent actor will also be able to obtain a stored environment variable encryption key which could be used to decrypt the stored token. If so, I’d be going to all that trouble and have no enhancement of security over storing it as a plain token.