Reputation: 182
Safely storing refresh tokens in Java application
Let's say we have a very simple Java application, that edits resources on remote servers, that it authenticates with using Access Tokens. Application always uses the same identity, so it is always using the same client id, secret and refresh token to obtain access token.
The whole authentication process is supposed to go through without user intervention and app should perform actions automatically triggered by the user from another application. The other app is sending HTTP requests, but the whole thing would only be accessed in internal network and there would be no "legal" way to access it outside of it.
Is there a way to keep this data (refresh token, client id, secret...) securely within my application?
I have seen similar questions, but they all talked about websites and cookies, but this is supposed to happen under the hood, without any frontend etc. so I don't think those apply to my issue.
Edit: the application will be deployed on an internal server so it's not a Desktop solution. Basically there is an internal app that will send HTTP request to mine, triggering edit on a remote server that is outside of the internal network.
Upvotes: 1
Views: 1578
Answers (2)
Reputation: 29291
The simplest option is to use memory storage, but if that diesn't work because you need to deal with restarts etc, operating systems provide per-user secure storage. This is a model sometimes used by OAuth desktop or console clients:
- Credential Manager on Windows
- Keychain on macOS
- Passwords and Keys on Linux
It would require some native interop to interact with these credential stores, via use of a library such as java-keytar.
DESKTOP EXAMPLE
For something to compare against see these resources of mine:
- Node.js desktop keytar code
- This blog post has some related screenshots towards the end
Upvotes: 1
Reputation: 21903
It is not a good idea to store client secrets, access tokens, refresh tokens etc in persistence storage unless it is stored in a secret store (like Vault). But there are other options.
If you are using Spring then you can use Spring OAuth2RestTemplate or else you can write something similar by looking at the code.
It acquires or renews an access token transparently and caches to avoid round trips to Authorization server.
Upvotes: 1
Related Questions
- what should I do when the client request to refresh the valid access token
- what is the workflow when refresh token expired or invalid
- Worry about JWTs and consider refresh tokens
- Create refresh and access token jwt using java
- What's the best (and most secure) way to store token values in client side?
- Java Spring JWT with refresh token workflow questions
- Where to store refresh token safely
- Caching the access token on oauth or not?
- Implementing OAuth Refresh Tokens that never expire
- Oauth refresh token salesforce process simplification