Is an encrypted custom field a secure way to store limited lifespan OAuth tokens for Apex callouts?

Question

Apex callouts are being used to integrate Salesforce with SAP Concur.

1. Named Credential is incompatible because Concur returns a 403 after token expiry, whereas SF expects a 401 to know when to refresh the token.
2. Custom Metadata cannot be written to, so the access token can’t be refreshed and then stored back in the record. Also, it is only secured by RBAC.
3. A managed package does not fit the use case.
4. Custom Settings have a max field length of 255, and the token length is in the thousands of characters. Same security concern as metadata.

For an automated solution where a service account’s access token is stored and refreshed to be used for callouts initiated by the user without requiring them to authenticate, is a custom object with encrypted custom fields a viable (albeit far from ideal) solution?

The technical drawbacks include the fact that the token, which can range in the thousands of characters, will need to be split among a dozen or more fields, since encrypted fields have a 175-char max length, as well as the fact that it ties the integration to a specific data record.

Answer 1

If Named Credential is not working then you don't have a great solution. I would not store the token in fields because your user will be able to find them. I would make a private class and store the token in there.