I am creating a web app that will use OpenID logins and OAuth tokens with Youtube. I am currently storing the OpenID identity and OAuth token/token secret in plain text in the database.
Is it inappropriate to store these values as plain text? I could use a one-way encryption for the OpenID identifier but I don’t know if that is necessary. For the OAuth tokens, I would need to use a two-way encryption as my app relies on getting the session token for some uses.
Is it necessary to encrypt the OpenID identity? Could someone use it to gain access to a user’s account?
First, there is a registered application that has
consumer_keyandconsumer_secret.When users authenticate and “allow” your registered application, you get back:
an
access_tokenthat is considered the user’s “password” and would allow JUST YOUR application to act on the user’s behalf.So, getting just the user’s
access_tokenfrom your database won’t help much if they don’t also have theconsumer_keyandconsumer_secretfor complete access.The service provider compares all 4 parameters on request. It would be smart to encrypt these 4 parameters before storage and decrypt them before response.
This is just when you need to update or make changes to the user’s resource owner on behalf of a user. To keep a user logged-in on your site, use sessions.