How important is it to keep OAuth's access token secret?
https://stackoverflow.com/questions/4065657
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Once I receive my access token for a site (say facebook) using OAuth, how important is it to keep this secret? Could anything malicious happen if someone got a hold of one?
I was wondering if it would be a bad idea to save the token in a cookie or session.
Solution
Update: if you are having the user connect with the javascript sdk, the user id and access tokens are already be stored in cookies for your site. Check the http cookies being sent. If they are not, check the FB.Init documentation, as FB.Init has a cookies boolean parameter you can set so that it will create a cookie for you named fbs_{APPID}. This post talks about that cookie.
OTHER TIPS
Yes, the access token is equivalent to your username/password. Most implementations will expire the access token after a time but while it is still valid it must be kept a secret.
