<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] has come up from several people for both [user-agent] and for [Authorization Server] perspectives.

Generally we do not feel [OAuth 2.0] you should store [tokens]

!! [user-agent] [{$pagename}]!! [Authorization Server] [{$pagename}]! [OAuth 2.0] and __NOT__ [JWT] [2][3]
Technically you can store the access token in your database, and use it for [API] calls until it expires. It might be more trouble than its worth, though.

Now you have to worry about securing your database and the data in it - these [tokens] give access to some fairly privileged information about your users. Of course, simply storing the [token] in [sessionStorage] might put it on disk too, depending on your [session] configuration. Its a good idea to keep it [encrypted|Encryption] while you're not using it.

Your proposed scenario about the user clearing cookies and coming back is also an issue. You could take the access token from the database and stick it back into their cookies, but before you do that, you have to make sure they are who they say they are - and now you have to do another layer of passwords just to give them access to the token they already gave you.

You're probably better off simply re-doing the [authorization] flow when they come back and click the login button again. Its not that expensive. But if that truly is a showstopper for you, then storing the token is an option. You'll just have to be really careful about working through all the associated issues.

! [OAuth 2.0] using [JWT][1]
We try not to re-invent the wheel and found that [Auth0] pretty much covers [{$pagename}] in their [10 Things You Should Know about Tokens|https://auth0.com/blog/ten-things-you-should-know-about-tokens-and-cookies/|target='_blank']

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [10 Things You Should Know about Tokens|https://auth0.com/blog/ten-things-you-should-know-about-tokens-and-cookies/|target='_blank'] - based on information obtained 2016-08-09
* [#2] - [Should we store accesstoken in our database for oauth2?|Wikipedia:http://security.stackexchange.com/questions/72475/should-we-store-accesstoken-in-our-database-for-oauth2|target='_blank'] - based on information obtained 2016-08-09
* [#3] - [Best place to store authentication tokens client side|http://security.stackexchange.com/questions/80727/best-place-to-store-authentication-tokens-client-side|target='_blank'] - based on information obtained 2016-08-09
</pre>