11

We all know that when to store passwords, we should store it with one-way hash such as a variant of SHA, bcrypt or scrypt to prevent plain-text password leaks when the database is hacked.

But what about OAuth tokens? How should one store Facebook access token? Twitter access token? Should I store it as plain text? Encrypt it with AES and a site key? Or any more secure way to store it?

(Provided that the application requested only essential token scope from Facebook and the app have good reasons to store the token)

willwill
  • 495
  • 5
  • 9

1 Answers1

2

If at all possible, don't store OAuth tokens! Storing OAuth tokens makes your users susceptible to an attack vector they aren't aware of.

If you must store OAuth tokens then AES encrypt them with the best key you can use for this purpose. If users use a password to enter your site then generate an AES key based on the clear text password of each user (e.g. using PBKDF2) and encrypt the OAuth token of each user with their AES key.

Use a site key only as the last resort if no other options exist and do your best to secure the site key as per @tylerl's answer to Where to store a key for encryption?. But as @tylerl wrote, "there isn't a good answer".

So, again, if at all possible, don't store OAuth tokens!

David Wachtfogel
  • 5,522
  • 21
  • 35
  • 9
    Little late here, but I'd like to hear your suggestions for not storing Oauth tokens but still sending them with every API call. Especially on an app that is primarily client side. – FajitaNachos Mar 01 '13 at 15:21