OAuth2 client account & data storage

Asked Jan 03 '16 at 06:15

Active Jan 03 '16 at 20:53

Viewed 154 times

Context

I have a REST API where a user can create an account from a web client. The password is saved as a salted hash in a database. When a user is authenticated they can save and retrieve private data. All of this is done through HTTPS.

I am new to OAuth2 and I am trying to add a Facebook and Google login though OAuth2. My understanding is that once the login is complete, I will not receive a client ID and a client secret, only a access token since the login occurs in a browser.

Question

The lifetime of the access token is temporary. Is it secure to save the client ID and the access token in the database with a salted hash and is this a practice that fits well with OAuth2?

This info would be then used for the client to save & retrieve private data when authenticated like previously described.

edited Jan 03 '16 at 20:53

asked Jan 03 '16 at 06:15

Alerty

To clarify, are you giving the user the ability to use their Facebook/Google credentials to login to your site or are you adding features for existing users that need to access Facebook/Google information? – Doug Richardson Jan 04 '16 at 05:45

OAuth2 client account & data storage

Context

Question

0 Answers0