4 Replies Latest reply on Jul 21, 2014 4:43 PM by tone

    Where to store Jive OAuth tokens?

    tone

      Hi Community,

       

      Question

       

      What is the best way to store Jive's OAuth 2.0 access and refresh tokens for authenticating Jive API calls from an external app?

       

       

      Use case

       

      Summary

      Jive-independent App A (not a Jive app add-on built via Jive SDK)  that requires user authentication wants to make calls to the Jive API.


      Flow

      1. User logs into App A, and if App A doesn't have an access token to present to Jive on behalf of the user, the OAuth dance is brilliantly performed and App A retrieves (and stores somewhere) the access and refresh tokens.
      2. The next time user logs into App A, user doesn't have to reauthenticate to Jive because App A already has token ready to authenticate on behalf of that user.

       

       

      Storage options I'm considering

       

      I've looked around the Interwebs (i.e., php - OAuth: Storing Access Token and Secret - Stack Overflow) and saw the several options mentioned, but I was hoping to get the Community's opinions on the pros and cons of any.

       

      • Browser cookie
      • Save in session
      • App A's database

       

      Thanks in advance for any feedback (and any corrections to any errors in my understanding).

       

      -Tone

        • Re: Where to store Jive OAuth tokens?
          Robert Hanson

          > Browser cookie

           

          You should treat a token just like a password ... never include it in any cookie (or URL, or hidden form field, etc.).  It should be kept server-side and never shared with the user.

           

          > Save in session

           

          The session will typically end after a short duration.  For Java apps running under Tomcat I think the default is 20 minutes.  You really need to store it indefinitely.

           

          > App A's database

           

          This is your best bet.

          1 person found this helpful
          • Re: Where to store Jive OAuth tokens?
            cgum

            Anthony Isaac

            I was also going to suggest that you persist it either to disk or to your database.  However, I would suggest an additional security measure that you encrypt the tokens before saving them to the database - treat them just like you would a password.  If I can gain access to a privileged user's OAuth token (like, say, someone with admin rights), I can do a lot of damage (like create another admin account) via the REST API and a REST test client (or curl).  Just FYI.

            1 person found this helpful
              • Re: Where to store Jive OAuth tokens?
                tone

                Hi Casey,

                 

                Thanks for the useful feedback! I'll definitely take token encryption into account.

                 

                By the way, when you mentioned persisting to disk as an option. Do you mean persisting it (encrypted) to the user's local machine, as in a cookie, or by some other means? I can see how saving non-encrypted cookies is dangerous, but perhaps encrypted versions would be secure enough?

                 

                From reading the feedback in this discussion, I'm a fan of the encrypting-the-token-and-storing-in-database solution.

                 

                Thanks again! Your comments and Robert Hanson's comments help a lot, with me being an OAuth noob.

                 

                -Tone