Where should refresh tokens be stored?

Where should refresh tokens be stored?

Access token and refresh token shouldn’t be stored in the local/session storage, because they are not a place for any sensitive data. Hence I would store the access token in a httpOnly cookie (even though there is CSRF) and I need it for most of my requests to the Resource Server anyway.

Should I store DB refresh token?

Store refresh tokens in a secure location, such as a password-protected file system or an encrypted database. Limit access to users who need the tokens to make API calls. If you believe that a refresh token has been accessed by an unauthorized user, delete it and create a new one.

Where do I store my token spa?

If the SPA backend cannot handle the API calls, the tokens should be stored in the SPA backend but the SPA needs to fetch the tokens from the backend to perform requests to the API. A protocol needs to be established between the backend and the SPA to allow the secure transfer of the token from the backend to the SPA.

Does refresh token need to be encrypted?

Refresh tokens have to be stored securely in order to be used as intended. As I understand, you are building a standalone application. Therefore, you can rely on file system security to prevent a refresh token being copied by an unauthorized user.

Is it safe to store token in cookie?

LocalStorage/SessionStorage is vulnerable to XXS attacks. Access Token can be read by JavaScript. Cookies, with httpOnly, secure and SameSite=strict flags, are more secure. Access Token and its payload can not be accessed by JavaScript.

How big can third party OAuth tokens be?

The size of third-party tokens must be 2 KB or smaller. For OAuth usage limits, see Apigee product limits. In the usual case, Apigee Edge will generate and store an OAuth token, and return it to the calling application.

How to use third party OAuth tokens in Apigee?

To use tokens from third-party OAuth systems in Apigee, the flow for generating access tokens should follow one of the following patterns. ServiceCallout to Verify the inbound client credentials, and acquire an external token. ExtractVariables or a JavaScript step to extract the externally-generated token from the response.

When to use an external OAuth access token?

The external authentication service would typically return a response and, if the credentials are valid, also an access token. After the ServiceCallout, the API proxy needs to parse the response to extract the validity status, as well as the externally generated access_token and possibly the refresh_token.

How does a proxy validate an OAuth token?

Often this is via a ServiceCallout policy that connects to a remote endpoint in your network. One way or the other, either implicitly or explicitly, you need to ensure that the API Proxy that generates tokens, first validates the client credentials. Keep in mind that validating the client is independent of generating the access token.