0

I'm creating a little application where users must authenticate with Facebook (I'm using OAuth2). At this moment all of this procedure looks like this:

  • The user will click on "FB Login" button.
  • The user will be asked to login to Facebook and allow permission. If user allows it will return an authorization code.
  • Now we will use the authorization code to get an access token.
  • We can store the access token in session to start a user session.
  • Now we can use the access token to access to different user resources.

And here I have question - Is it best (ie the safest way) to store the access_token for later use? "Hide" it simply to the database and take it when it's needed or can it develop some original hash algorithm to secure it?

Paul
  • 411
  • 6
  • 15

1 Answers1

4

Access tokens have a short lifetime - if you have a server side session, it's easier to keep an access token there (not in a database), so that all requests can use it. It's better to reuse a single access token than getting a new one for each request by using a refresh token. One reason is performance. Getting a new access token may revoke older access tokens created by the same refresh token, but it depends on your OAuth2 server implementation.

The backend session should be safe enough, as long as your server doesn't keep its session data in a place that anyone can read (some temporary disk storage).

When keeping access tokens in a session, you will probably have to find a way how to refresh them - you should prevent multiple requests (threads) from refreshing a single access token.

Ján Halaša
  • 8,167
  • 1
  • 36
  • 36