Token Storage


Token Storage has come up from several people for both user-agent and for Authorization Server perspectives.

Generally we do not feel OAuth 2.0 you should store tokens

user-agent Token Storage#

Authorization Server Token Storage#

OAuth 2.0 and NOT JWT [2][3]#

Technically you can store the access token in your database, and use it for API calls until it expires. It might be more trouble than its worth, though.

Now you have to worry about securing your database and the data in it - these tokens give access to some fairly privileged information about your users. Of course, simply storing the token in sessionStorage might put it on disk too, depending on your session configuration. Its a good idea to keep it encrypted while you're not using it.

Your proposed scenario about the user clearing cookies and coming back is also an issue. You could take the access token from the database and stick it back into their cookies, but before you do that, you have to make sure they are who they say they are - and now you have to do another layer of passwords just to give them access to the token they already gave you.

You're probably better off simply re-doing the authorization flow when they come back and click the login button again. Its not that expensive. But if that truly is a showstopper for you, then storing the token is an option. You'll just have to be really careful about working through all the associated issues.

OAuth 2.0 using JWT[1]#

We try not to re-invent the wheel and found that Auth0 pretty much covers Token Storage in their 10 Things You Should Know about Tokens

More Information#

There might be more information for this subject on one of the following: