oauth - How to save refresh tokens?

Question

I'm trying to add authentication feature to my application. The authentication server implements oauth 2.0

I'm not sure how to save the refresh_token. I want to save it to a file, so next time when the application starts and there is a refresh_token available, it can ask for a new access_token. The user won't need to re-login again.

But this doesn't sound secure to me, because if someone copies my file that has the refresh_token to another computer, he can hack into my account.

Answer 1

You are correct with the attack that you describe. Refresh tokens have to be stored securely in order to be used as intended. As I understand, you are building a standalone application. Therefore, you can rely on file system security to prevent a refresh token being copied by an unauthorized user. You may want to use encryption for the refresh token, too, but the key would need to be bound to a user's session at your local machine (otherwise, the user would need to provide it during "sign in" process in order for the application to decrypt the refresh token).

Consider reading the thread from the OAuth WG, that discusses similar problems to the one described and provides some guidance: https://www.ietf.org/mail-archive/web/oauth/current/msg02292.html