Securly Storing OpenID identifiers and OAuth tokens

database security encryption openid oauth

I am creating a web app that will use OpenID logins and OAuth tokens with Youtube. I am currently storing the OpenID identity and OAuth token/token secret in plain text in the database.

Is it inappropriate to store these values as plain text? I could use a one-way encryption for the OpenID identifier but I don't know if that is necessary. For the OAuth tokens, I would need to use a two-way encryption as my app relies on getting the session token for some uses.

Is it necessary to encrypt the OpenID identity? Could someone use it to gain access to a user's account?

atp

First, there is a registered application that has consumer_key and consumer_secret.

When users authenticate and "allow" your registered application, you get back: an access_token that is considered the user's "password" and would allow JUST YOUR application to act on the user's behalf.

So, getting just the user's access_token from your database won't help much if they don't also have the consumer_key and consumer_secret for complete access.

The service provider compares all 4 parameters on request. It would be smart to encrypt these 4 parameters before storage and decrypt them before response.

This is just when you need to update or make changes to the user's resource owner on behalf of a user. To keep a user logged-in on your site, use sessions.

This not the case if you are using OAuth 2.0 with bearer tokens. All you need is an access token (auth token) to access a users data. Something to be careful of.

Pelle

The OAuth Token and Secret should both obviously be kept safe in your database, but you can't store them using 1 way encryption the same way you would for a password. The reason being is that you need the token and secret to be able to sign the request.

This would also be the case if you are running an OAuth server, you still need the original token/secret to verify the request.

If you want to you could still encrypt them using a 2 way encryption algorithm such as AES to offer security in case your database or database backups get compromised.

Other answers say treat them as passwords, but this answer is good in that it points out you need a 2 way encryption algorithm. With hashed passwords you can hash what the user types and check against the hashed password. With tokens and secrets you need to get the original text back again.

2-way encryption algorithm? Did you mean public-key encryption like RSA (for which two different keys should be used)? AES is "2-way" in the sense that you can encrypt and decrypt it, but only with the same private key.

@Lekensteyn probably AES, which is two-way as compared to a one-way cryptographic hash function. Public-private key cryptography doesn't buy you a whole lot when you use both in the same environment.

culix

There's two schools of thought here.

The first argument is that: you should treat OAuth tokens like passwords. If anyone were to access your database, obtain all the OpenID/OAuth pairs and run an man-in-the-middle attack, they could impersonate any user on your site.

The second argument is this: by the time someone has access to your database and sufficient access to your network to run an man-in-the-middle attack, you're hosed anyway.

I'd personally err on the side of caution and just encrypt them; it's a standard practice for passwords, so you might as well give yourself just that little extra peace of mind.

Meanwhile, Google has this advice:

"Tokens should be treated as securely as any other sensitive information stored on the server."

source: http://code.google.com/apis/accounts/docs/OAuth.html

And some random guy on the web has specific implementation advice:

If they’re on a regular disk file, protect them using filesystem permissions, make sure that they’re encrypted, and hide the password well

If they’re in a database, encrypt the fields, store the key well, and protect access to the database itself carefully. *

If they’re in LDAP, do the same.

archived post (original post URL, now a dead link)

In case anyone is still tracking this -- I'm very sympathetic to the idea of encrypting stuff like this, but it strikes my newbie brain that we're just pushing the problem off another level -- we can encrypt, but now we have to put the encryption secret somewhere, and protect against IT being stolen. Is it enough to just put it in a file somewhere outside webroot?

A file outside webroot that the web server user cannot access (in case they get in that way). Or a separate PKI infrastructure which just gets all kinds of complicated. This protects against an attacker who finds a way to dump the database but not the entire filesystem - say through an SQL injection attack.

@BenWalther A file the web server cannot access? But the web server has to access the file (the plain text tokens) for it's interactions with the OAuth based service.

ZZ Coder

OpenID URL shouldn't be encrypted because this is your "open id" literally, everyone should know the value. Besides, the URL needs to be an index in the database and it's always problematic to encrypt the index in the database.

OAuth token/secret should be secret and encryption may improve security if you have to store the token long term. In our OAuth consumer application, token/secret is only stored in session for a short while and we choose not to encrypt them. I think that's secure enough. If someone can peek into our session storage, they probably have our encryption key also.

Not quite true. OpenID URLs aren't necessarily public. To prevent correlation between RPs, Google uses directed identity so that every RP gets a unique OpenID for the same user. If all these were made public so that literally everyone knew the values, correlation would again be possible.

OP is talking about back-end database. It that were public, you have much bigger privacy issues to deal with.

Rettel

Yes, these should be symmetrically encrypted (say, AES-256 in CBC mode) at rest in a database. A simple way to encrypt these tokens is using SecureDB's Encryption as a Service RESTful APIs.

Disclosure: I work at SecureDB.

Securly Storing OpenID identifiers and OAuth tokens

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Contact US