database - Securly Storing OpenID identifiers and OAuth tokens

Question

I am creating a web app that will use OpenID logins and OAuth tokens with Youtube. I am currently storing the OpenID identity and OAuth token/token secret in plain text in the database.

Is it inappropriate to store these values as plain text? I could use a one-way encryption for the OpenID identifier but I don't know if that is necessary. For the OAuth tokens, I would need to use a two-way encryption as my app relies on getting the session token for some uses.

Is it necessary to encrypt the OpenID identity? Could someone use it to gain access to a user's account?

Answer 1

First, there is a registered application that has consumer_key and consumer_secret.

When users authenticate and "allow" your registered application, you get back: an access_token that is considered the user's "password" and would allow JUST YOUR application to act on the user's behalf.

So, getting just the user's access_token from your database won't help much if they don't also have the consumer_key and consumer_secret for complete access.

The service provider compares all 4 parameters on request. It would be smart to encrypt these 4 parameters before storage and decrypt them before response.

This is just when you need to update or make changes to the user's resource owner on behalf of a user. To keep a user logged-in on your site, use sessions.