Encrypt owner-specific OAuth tokens and application API keys #969

ginatrapani opened this Issue Sep 15, 2011 · 4 comments


None yet

3 participants

ThinkUp LLC member

OAuth tokens and API keys allow an application to act on behalf of the user on a third-party service, so applications should protect those tokens with the same measures they protect the user's password. ThinkUp should hash OAuth tokens which give users access to third-party services instead of storing them in the database as cleartext.

This goes for owner-specific OAuth tokens for Facebook and Twitter stored in owner_instances, as well as application-wide API keys stored in tu_options.



If we hash these tokens the same way we do passwords there is no way to get access to them again unless the user re enters them. I'm assuming this isn't what we want?


We could use symmetric key encryption, with the key being the users password and then when the user logs in decrypt the keys ?

How would we decide when to destroy the decrypted keys?

ThinkUp LLC member

All good questions, and I don't have definite answers top of mind. Let's discuss on the dev mailing list so everyone can participate.


The user's password probably isn't the best as idea as those change semi-frequently

A common approach is to go with the blowfish cbc encryption algorithm wherein the person installing the application decides the single key for the entirety of encrypted data for all users, saves it in the config file or elsewhere, then that key is used for all encryption/decryption. As the encrypted data is in binary then a final step is usually used of base64 encoding to make it ascii before storing the encoded data anywhere.

This encryption is handled PHP's mcrypt library which connects to an underlaying C library - neither may be installed so this would probably have to be an optional feature.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment