From the course: Web Security: OAuth and OpenID Connect
Join today to access over 24,700 courses taught by industry experts.
Handling tokens safely and securely - OAuth Tutorial
From the course: Web Security: OAuth and OpenID Connect
Handling tokens safely and securely
- [Instructor] Now that we have all these tokens, and we validate some of them to understand they're safe, we need to use and protect them effectively. First of all, we have to remember that both access and refresh tokens are credentials. Therefore, we have to protect them and secure them, just like we would any other secret in our applications. In general, that means you shouldn't embed them in client-side code and should only store them in secure cookies which can be used over HTTPS. Then we can look at the contents of the token directly. Since the ID token is usually going to go to the owner and the owner alone, you probably want to embed sensitive information in it. Don't. Don't store sensitive information. Credit card numbers, government IDs, whatever. Do not store them in the token. A better approach is to use the token at the resource server to retrieve that sense of information directly. That protects both the token and…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
