How secret is the oauthTokenSecret?

[ForbesLindesay]

Judging by the name oauthTokenSecret probably shouldn't be shared with the user? Since many people store session data in a cookie, this seems at odds with the default implementation of oauth1. I may be missing something though?

[jaredhanson]

It is a secret that should only be known by the client/application to which the token was issued.

this seems at odds with the default implementation of oauth1

I'm not sure what you mean by "default implementation", and what is at odds. If the client is storing secrets in a way that users can access them, then yes that is at odds. Hopefully it is not the default implementation.

[ForbesLindesay]

One of the most popular session implementations for express is cookie-session. It stores the session in plain text in a cookie (JSON encoded). By default passport-oauth1 stores the oauth_token_secret in the session.

[jaredhanson]

Those sessions either have all data in a backend data store or are encrypted with a key only the backend knows. In both cases the secret is only accessible to the backend (which is the oauth client), so there's no issue with such implementation.

…

Sent from my iPhone

On Dec 8, 2017, at 5:58 AM, Forbes Lindesay ***@***.***> wrote: One of the most popular session implementations for express is cookie-session. It stores the session in plain text in a cookie (JSON encoded). By default passport-oauth1 stores the oauth_token_secret in the session. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[ForbesLindesay]

https://www.npmjs.com/package/cookie-session Signs the session data with a secret key, but it does not encrypt the data. A user can still read the contents of the session as plain text.

[jaredhanson]

The token secret that is stored in the session is associated with the request token (aka temporary credentials). This request token is a one-time use token and secret exchanged for the final access token. In this sense, it serves a similar purpose to the authorization code in OAuth 2.0, and there's little risk associated with storing it in signed-only cookie. The protocol has other means to authenticate use of the temporary credentials (such as client secrets).

The token secret associated with the access token is handed off to the application by passport-oauth1, and is not stored in the session. I would not advice putting this token or secret in a session whose contents are visible to the user. If client-side cookie storage is needed, I would advise client-sessions, which encrypts the data.