Skip to main content
Information Security

Return to Question

Fixed grammar; removed a bunch of unnecessary semi-colons
Source Link
edit approved Dec 4, 2022 at 12:34
Mike
edit approved Dec 4, 2022 at 12:34
Mike
  • 3
  • 2

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let OAuth2 providers handle the login security.

Howeversecurity; however, I am not sure what the best practice is for the access token, which I acquire from the OAuth2 providers.

The situation is, I get an access token from the OAuth2 provider, when the user makes a login. I will need to use this token, every time the mobile application makes a request to my back-end. So so I can validate up against the OAuth2 provider, to see if the token is still valid.

I know that I am going to create a JWT, and hand it to the mobile application, which it will use every time it makes a request.

  Now my question is, should I store the access token, which I got from the OAuth2 provider, inside the JWT as claims.
Or or should I store it in a database, and connect it with the usersusers' ID, which I will store in the JWT claims?

Perhaps it is recommended that I encrypt the JWT, with JWE? If that is the case, will it decrease performance more if I decrypt for each request, rather than doing a database lookup (I will be using either MongoDB or Redis) or will performance impact be the same?

The connection to my REST API, will be through HTTPS.

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let OAuth2 providers handle the login security.

However, I am not sure what the best practice is for the access token, which I acquire from the OAuth2 providers.

The situation is, I get an access token from the OAuth2 provider, when the user makes a login. I will need to use this token, every time the mobile application makes a request to my back-end. So I can validate up against the OAuth2 provider, to see if the token is still valid.

I know that I am going to create a JWT, and hand it to the mobile application, which it will use every time it makes a request.

  Now my question is, should I store the access token which I got from the OAuth2 provider, inside the JWT as claims.
Or should I store it in a database, and connect it with the users ID, which I will store in the JWT claims?

Perhaps it is recommended that I encrypt the JWT, with JWE? If that is the case, will it decrease performance more if I decrypt for each request, rather than doing a database lookup (I will be using either MongoDB or Redis) or will performance impact be the same?

The connection to my REST API, will be through HTTPS.

I am building a REST API back-end for a mobile application. In our design choice we decided to let OAuth2 providers handle the login security; however, I am not sure what the best practice is for the access token, which I acquire from the OAuth2 providers.

The situation is I get an access token from the OAuth2 provider when the user makes a login. I will need to use this token every time the mobile application makes a request to my back-end so I can validate against the OAuth2 provider to see if the token is still valid.

I know that I am going to create a JWT and hand it to the mobile application, which it will use every time it makes a request. Now my question is should I store the access token, which I got from the OAuth2 provider, inside the JWT as claims or should I store it in a database and connect it with the users' ID, which I will store in the JWT claims?

Perhaps it is recommended that I encrypt the JWT with JWE? If that is the case, will it decrease performance more if I decrypt for each request, rather than doing a database lookup (I will be using either MongoDB or Redis) or will performance impact be the same?

The connection to my REST API will be through HTTPS.

Tweeted twitter.com/StackSecurity/status/697714290359410688
Fixed typography, removed noise.
Source Link
S.L. Barth is on codidact.com
S.L. Barth is on codidact.com
  • 5.5k
  • 8
  • 42
  • 47

Where should I store oauth2OAuth2 access tokens?

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let oauth2OAuth2 providers handle the login security.

However, I am not sure what the best practice is for the access token, which I acquire from the oauth2OAuth2 providers.

The situation is, I get an access token from the oauth2OAuth2 provider, when the user makes a login. I will need to use this token, every time the mobile application makes a request to my back-end. So I can validate up against the oauth2OAuth2 provider, to see if the token is still valid.

I know that I am going to create a JWT, and hand it to the mobile application, which it will use every time it makes a request.

Now my question is, should I store the access token which I got from the oauth2OAuth2 provider, inside the JWT as claims. 
Or should I store it in a database, and connect it with the users ID, which I will store in the JWT claims?

Perhaps it is recommended that I encrypt the JWT, with JWE? If that is the case, will it decrease performance more if I decrypt for each request, rather than doing a database lookup (I will be using either MongoDB or redisRedis) or will performance impact be the same?

The connection to my REST API, will be through HTTPS.

Thanks in advance.

Where should I store oauth2 access tokens?

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let oauth2 providers handle the login security.

However, I am not sure what the best practice is for the access token, which I acquire from the oauth2 providers.

The situation is, I get an access token from the oauth2 provider, when the user makes a login. I will need to use this token, every time the mobile application makes a request to my back-end. So I can validate up against the oauth2 provider, to see if the token is still valid.

I know that I am going to create a JWT, and hand it to the mobile application, which it will use every time it makes a request.

Now my question is, should I store the access token which I got from the oauth2 provider, inside the JWT as claims. Or should I store it in a database, and connect it with the users ID, which I will store in the JWT claims?

Perhaps it is recommended that I encrypt the JWT, with JWE? If that is the case, will it decrease performance more if I decrypt for each request, rather than doing a database lookup (I will be using either MongoDB or redis) or will performance impact be the same?

The connection to my REST API, will be through HTTPS.

Thanks in advance.

Where should I store OAuth2 access tokens?

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let OAuth2 providers handle the login security.

However, I am not sure what the best practice is for the access token, which I acquire from the OAuth2 providers.

The situation is, I get an access token from the OAuth2 provider, when the user makes a login. I will need to use this token, every time the mobile application makes a request to my back-end. So I can validate up against the OAuth2 provider, to see if the token is still valid.

I know that I am going to create a JWT, and hand it to the mobile application, which it will use every time it makes a request.

Now my question is, should I store the access token which I got from the OAuth2 provider, inside the JWT as claims. 
Or should I store it in a database, and connect it with the users ID, which I will store in the JWT claims?

Perhaps it is recommended that I encrypt the JWT, with JWE? If that is the case, will it decrease performance more if I decrypt for each request, rather than doing a database lookup (I will be using either MongoDB or Redis) or will performance impact be the same?

The connection to my REST API, will be through HTTPS.

Source Link
Daniel
Daniel
  • 311
  • 1
  • 2
  • 3

Where should I store oauth2 access tokens?

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let oauth2 providers handle the login security.

However, I am not sure what the best practice is for the access token, which I acquire from the oauth2 providers.

The situation is, I get an access token from the oauth2 provider, when the user makes a login. I will need to use this token, every time the mobile application makes a request to my back-end. So I can validate up against the oauth2 provider, to see if the token is still valid.

I know that I am going to create a JWT, and hand it to the mobile application, which it will use every time it makes a request.

Now my question is, should I store the access token which I got from the oauth2 provider, inside the JWT as claims. Or should I store it in a database, and connect it with the users ID, which I will store in the JWT claims?

Perhaps it is recommended that I encrypt the JWT, with JWE? If that is the case, will it decrease performance more if I decrypt for each request, rather than doing a database lookup (I will be using either MongoDB or redis) or will performance impact be the same?

The connection to my REST API, will be through HTTPS.

Thanks in advance.