

Ask HN: How are you storing OAuth access keys and secrets? - bpedro

During a regular OAuth dance, you receive and save users OAuth access keys and secrets. Each time you need to act on behalf of the user you'll retrieve an access key and secret.<p>Question is: how do you store this information and prevent an attacker from getting access to it?
======
ryanlchan
I've been thinking about this as well; the results I could find are from quite
a while ago, but in general the answer is to use a reversible encryption like
AES [1] along with secure storage of the encryption key [2], preferably on
another server or in an isolated part of the server. Not particularly
satisfying, is it...

[1]: [http://stackoverflow.com/questions/1878830/securly-
storing-o...](http://stackoverflow.com/questions/1878830/securly-storing-
openid-identifiers-and-oauth-tokens)

[2]: [http://security.stackexchange.com/questions/12332/where-
to-s...](http://security.stackexchange.com/questions/12332/where-to-store-a-
key-for-encryption)

------
zmitri
On iOS I store that info in the keychain. In database I believe it is usually
stored in plain text as the user can at anytime remove access to the
credentials on the 3rd party's site.

~~~
bpedro
Storing credentials in plain text is not something that you'd want to do if
you want to prevent an attacker to easily access them.

