Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tokens are not stored securely #21

Closed
al-yisun opened this issue Jan 19, 2015 · 2 comments
Closed

Tokens are not stored securely #21

al-yisun opened this issue Jan 19, 2015 · 2 comments

Comments

@al-yisun
Copy link

As per the RFC, "[tokens] MUST be kept confidential in transit and storage." This can be accomplished pretty easily here by storing a hash of the token string instead of the token string itself, although perhaps that logic should be bubbled up into Flask-OAuthlib as well.
@matt3o
Copy link

matt3o commented Jul 29, 2016

Isn't that the actually the case? Transport is protected by https, and the token is stored in a SecureCookieSession from Flask. I see your point but I don't think it's necessary. Please correct me if I'm wrong, about to implement an OAuth2 component myself.

@lepture
Copy link
Member

lepture commented Jul 30, 2016

SecureCookieSession is not that secure.

This is just an example, you should store it in your database.

@lepture lepture closed this as completed Jul 30, 2016
@matt3o matt3o mentioned this issue Aug 17, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lepture @al-yisun @matt3o