How to securely store refresh tokens in mongodb database

Question

I'm trying to tweet on behalf of Twitter user using How to connect to endpoints using OAuth 2.0 Authorization Code Flow with PKCE.

A refresh token allows an application to obtain a new access token without prompting the user.

In order to post on behalf of the users when they are offline I assume the app needs to store this refresh token that Twitter gives it in the database to persist.

But is there a best practice for storing these tokens? I'm using mongodb.

I found this:

The recommended approach is not to store access tokens, but get the access tokens as needed. Securely store only the refresh tokens, with as much rigor as if they were access tokens.

-src

But the instruction that followed seemed to be specific to Azure.

How would you store a refresh token with rigor? What does that mean for mongodb?

Answer 1

I think this is a bit of an opinionated question. My answer here is more notes than a good answer

But here's the opinions I found so far from different devs and how to handle them.

1. Encrypting the refresh token is overkill

I think that quote was for a different use case of oauth2. Maybe for using oauth2 also as a login to your app you would have to be more careful with the refresh tokens, though I'm not sure.

But for my use case it seems ok to store the refresh token in the db unencrypted.

A hacker would need to steal the refresh token AND the client secret to get an access token. The client secret is stored in an env file. So the refresh token alone wouldn't allow a hacker to do anything with it.

1. You should encrypt the refresh token

Yes, a hacker would need to steal the refresh token AND the client secret to get an access token. But if they came that far, they could use the client secret to ask for more rights and take over the users twitter accounts. So there may be some motivation for a hacker to do that- if they realize they could take over thousands of twitter users accounts. I'm not really sure how you would encrypt the keys for mongo, maybe there is something similar to azure vault or maybe you can use vault with mongo.

Rebuttal to #2: If your env is secure, which it should be, you don't have to worry about your client secret getting compromised.

So my take away is this is sort of opinionated