Hey everyone! I've been relying on email and password for authentication in my apps, but now I'm looking to integrate OAuth providers, starting with Google. I've checked out some tutorials and the Google documentation, especially a section that discusses storing refresh tokens securely. I have a couple of questions: 1. Can I or should I store the refresh token (and the access token) in HTTP-only secure cookies? 2. I know the access tokens are temporary and last for about an hour, but what about the refresh token? Should I assign it an expiration date, or is it okay to keep it indefinitely until the user logs out and I revoke the tokens? I'd really appreciate any insights, and feel free to point out anything I might be missing. Thanks!
2 Answers
Here are a few key points to keep in mind:
- Refresh tokens are meant to be long-lived, and you should store them securely on your server using encryption.
- Access tokens are short-lived, so if you’re using them client-side in a single-page app, keep them in memory.
- Implementing security features like HTTP-only cookies, Secure, SameSite attributes, and using the State parameter along with PKCE is super important.
- Always do token exchanges and refresh operations on your backend, not client-side!
You actually want to store the refresh token server-side, rather than exposing it to the user. If it's out in the wild, they could misuse it to make unwanted API calls on your app's behalf. So yeah, keep those tokens stored securely on your server. You can store them forever, but be sure to check if they’ve expired before using them to refresh an access token.
Awesome, thank you!
I appreciate it, thank you! Just to clarify, if I'm using session-based authentication, is it correct to tie the encrypted refresh token with a session?