CODEWITHSUNDEEP
securityuwpaccess-tokendesktop-application
Mejbah
Mejbah

Reputation: 53

Where to store access token securely in UWP application?

Local storage is not right place to store tokens. But this blog post says LocalCache is generally the right location. If I store in LocalCache using DPAPI, Does this enough secure?

Does PasswordVault is good place to store it?

How can I store token securely so that outside this application token is not accessible?

Upvotes: 1

Views: 1492

Answers (2)

Martin Zikmund
Martin Zikmund

Reputation: 39092

I would definitely recommend storing confidential information like an Access Token in the PasswordVault as LocalSettings are not encrypted and are accessible quite easily from the app's package folder in AppData.

Although PasswordVault has a bit odd API, you can still easily use it to store the token:

var passwordVault = new PasswordVault();
passwordVault.Add(new PasswordCredential("Resource", "UserName", accessToken));

In your case, you most likely care only about the access token, so the "resource" and "user name" may be just arbitrary constants. Retrieving the token is easy as well:

//find credentials in the store            
PasswordCredential? credential = null;

try
{
   // Try to get an existing credential from the vault.
   credential = _passwordVault.Retrieve("Resource", "UserName");
}
catch (Exception)
{
   // When there is no matching resource an error occurs, which we ignore.
}
credential?.RetrievePassword();
return credential?.Password;

Note the use of try..catch. This is because the vault throws if given resource/user name combo is not found (which could even happen when user manually deletes the entry in system Credential Manager.

Another advantage of PasswordVault is that credentials are synced across devices (although this feature may be going away in future versions).

Upvotes: 4

Nico Zhu
Nico Zhu

Reputation: 32785

Where to store access token securely in UWP application?

In general, we often store access token with ApplicationData.LocalSettings class that place settings container in the local app data store. You could use it like the following.

var localSettings = Windows.Storage.ApplicationData.Current.LocalSettings;

// Create a simple setting.
localSettings.Values["accesstoken"] = token;

// Read data from a simple setting.
Object value = localSettings.Values["accesstoken"];

if (value == null)
{
    // No data.
}
else
{
    // Access data in value.
}

And if you want to store access token securely. The Windows Runtime provides the PasswordVault class to securely store credentials. for more please refer this document.

Upvotes: 0

Related Questions