Consequences of oAuth tokens ending up in the wrong hands

0 投票
最新提问 用户: (120 分)

I am looking for a more secure method of authentication for my website than the conventional username and password. I am trying to minimise the amount of data I store about my users, and I've opted to implement social login functionality.

In the event of a hacker gaining access to a database, what are the consequences of them obtaining the access tokens? Is this data less sensitive than an email address & password, for instance?

Also, an explanation on which tokens are given when a user signs in for the first time would be very helpful.

1个回答

0 投票
最新回答 用户: (4.5k 分)

Access tokens give the caller certain permissions in the application. OAuth 2.0 defines an application defined scope that limits what the caller can do inside the application (for example only retrieve the account balance).

Username/password combinations typically give full access to the application (make payments/transfers etc).

Access tokens are typically safer as they have a much shorter lifetime than username/password combinations. If you lose your access token, the attacker only has a limited timeframe in which access to your data can be gained.

Also, access tokens do not have to be stored in a database. They are verified via digital signatures. OAuth refresh tokens are typically stored on a database. However, the client needs the client id and client secret to use the refresh token to get a new access token.

发表于 用户: (120 分)
So, if I opted to use oAuth and a hacker managed to intrude on my database, what damage could be done?
发表于 用户: (4.5k 分)
If implemented correctly, not much. Besides only storing the refresh token, the auth server should store the client id and a salted hash of the client secret (just like storing passwords). This makes that the attacker needs to find the client secret before he/she can use the refresh token. Finding the secret from a salted hash is very expensive in computer time if a correct (slow) hashing algorithm is used.
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...