'where to store - access token and refresh token in OAuth 2.0
I am new to OAuth 2.0 and I wish to know what is the best practice / location to store access token and refresh token in generic e-commerce web site.
Question 1:
Where should access token and refresh token be stored in web sites? (cookies, web storage or local storage). And where big companies like google, dropbox store the access token and refresh token?
Question 2:
If refresh token is stored on the client side (taking browser in desktop/laptop), isn't it possible that someone has physical gain on that device able to get the refresh token and device information and use it to generate access token on other place?
Question 3:
I have see some post that suggest that refresh token should never be stored and known by client side. Then, where should refresh token be stored and how to reauthenticate in this case?
Solution 1:[1]
A1 -- you must store refresh token in http-cookie (which is not accessible by js) and database both and validate cookie refresh token using database. Store access token in memory or session storage but it must expires in a short period of time
ANSWER 1, ANSWERS BOTH QUESTION 1 AND 3
Solution 2:[2]
A1: access token has a much shorter time-to-live than refresh token, you may store refresh token in local storage or even other secure storage on server side; for access token, both web storage and local storage are fine; storing access token in cookie does not make much sense
A2: yes, hence refresh token should not be stored on client side;
A3: stored it on server/service side
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Veer-Khatri |
| Solution 2 | Richard Luo |