What is the best practice to store third-party oauth jwt tokens ? For example, using zoom oauth api , it respond access token and refresh token. Where shoud i store it ? (Lifespan of access token is 1 hour)

I think, to store access token in session and refresh token in db. Is it secure and good practice?

CodePudding user response：

A better alternative is to never store tokens in the browser, instead handle it 100% on the backend. Do review this video for more details about how you can do it in the most secure way.

• alert‘OAuth 2 0’; // The impact of XSS on OAuth 2 0 in SPAs

• Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier

CodePudding user response：

It totally depends on your OAuth flow type (Offline or Online). If online then you need to store third-party tokens inside the session and for offline you need to store tokens inside your DB.

For more about Zoom REST API and SDK Integrations, please watch the sessions here

ZOOM Integration Playlist

CodePudding user response：

If your backend needs to make API calls to some external API (like zoom in your case), the best way to do it is to abstract all the API calls (perhaps even make an SDK library if there isn't one) to a singleton class.

This means that you can write logic in this class to always have one instance of it within your application, so you can store that token in that instance. However you might also need to implement an error handler, because JWT access tokens usually expire after some time, so you will need to handle the 401 errors and when they happen you will need to fetch a new token.

Hope this helps.