When using passport in a node.js app as authentication middleware for Oauth 2.0 flows (such as Facebook, Twitter, etc..) I would like to know what are the common/best practices to store access tokens and refresh tokens in the application. I don't need to store the user account in the application, I just need the access token to call the API.
For example if I want to authenticate the user to an OAuth 2.0 authentication provider to get access token to use for oauth-based API, I can use the following passport strategy:
passport.use(new OAuth2Strategy({
authorizationURL: 'https://www.example.com/oauth2/authorize',
tokenURL: 'https://www.example.com/oauth2/token',
clientID: EXAMPLE_CLIENT_ID,
clientSecret: EXAMPLE_CLIENT_SECRET,
callbackURL: "http://localhost:3000/auth/example/callback"
},
function(accessToken, refreshToken, profile, cb) {
// handle user profile and tokens
// [...]
}
));
How and where to store the tokens in a secure manner? Would be ok to attach the tokens to the user profile? Like so:
function(accessToken, refreshToken, profile, cb) {
profile.accessToken = accessToken;
profile.refreshToken = refreshToken;
process.nextTick(() => return cb(null, profile))
}