Security question - Storing tokens


(Iguna Kilu) #1

Hi guys o7

First off, the app i decided to make is by far the most difficult thing i ever attempted, so please be gentle.

As far as i understand the SSO auth flow, after trading my auth token for access and refresh token (so to say), i got to store them somehow, right? So the next time i start my app i don’t have to go through the thing again and can simply refresh the access token with the refresh token (which never expires, right?)
Otherwise i’d have to sign on every single time i start the app…

So the question;
How do i store these keys? Do i have to make them unreadable somehow or encrypt them?
Or does it not matter if they got stolen?

Im working with Windows/C# and was going to share my app/the code with anyone who wants btw.


(Brock Khans) #2

I’ve not built desktop software that does this so I can’t speak specifically to that. But from the webapps I’ve seen on github and the ones I’ve built I store them in a mysql database in a table that I use to manage their ‘user’ in whatever form that comes (depending on the site).

You are correct in how the workflow works. You redirect them to the SSO page, which passes back a code, you use that code to get an access/refresh token. Access token is good for 1200 seconds, and once that expires you use the refresh_token to get a new access token to use in your requests.

I’d give http://eveonline-third-party-documentation.readthedocs.io/en/latest/sso/intro.html a read over, may answer more of your questions as well.


(Iguna Kilu) #3

So is it secure with a database? What prevents someone from accessing it, if necessary one could extract the login/pw/encryption etc from your source code if you share it or even read the strings clear from a text editor if you dont obfuscate them somehow.
But i guess noone would go that far just to get API access to another persons eve character.
I think it’s probably just important to not make it too easy for anyone, so that one could think “the way these tokens are stored is asking to get stolen” or sth.
I also didn’t plan to use a database anyway, after all im making a desktop app and don’t want that anyone has to install mysql server or sth to use it.

Im probably just going to use some encryption to obfuscate any cleartext stuff.
Do you think that will do?


(Brock Khans) #4

My Mysql is password protected with each DB user only allowed to access the database it needs to. As far as exposing your pw in your code, if you run a public repo you need to have some sort of secret file where you put all your sensitive data like passwords. You then add that file to your .gitignore so its not included in your commits.

Yes if someone got on your server they could see it, but if they are already on your server, you’re in bigger trouble.

Again I’m not into software, i do web, so I don’t know how that translates over.


(Mr Twinkie) #5

I use sqlite to store them and it’s pretty easy to encrypt it. Basically whatever DB you use look into encryption. Or just store them plain and bank on the fact that no one cares about neckbeards tokens.


(Golden Gnu) #6

If you want to keep the users refresh tokens safe on Desktop you have to let the users chose the password to encrypt with. It’s the only way the password can not be extracted from your exe file.
Also, if anyone can get access to the encrypted refresh tokens on Desktop, it must mean the computer have been compromised, so, any password the user types into your app, can most likely be compromised too, so, it’s kinda pointless to encrypt them?

Additional, you have 4 options to handle your app secret/id:

  • Ship with it. This will never be safe, it can always be extracted from your exe file.
  • Use a web server as the middle-man to keep your app secret/id hidden. That opens up the web server to attacks instead, as you need to ship with all info to use the web server, just as shipping with the app secret/id. But, gives you more control, as you can ban people etc. You would have to pay for a server and also require additional trust from your users, as you could keep all their data.
  • Use implicit flow, so, you don’t need a app secret/id. It’s not very user friendly, as the users will have to login once every 20min for each char/corp
  • Let the users create their own dev app instead of using yours. It’s not very user friendly either. Note: it’s not possible to create dev apps with alpha clones, so they will not be able to use your software.

(Iguna Kilu) #7

Thank you very much everyone. I know how I am going to handle this now.


(system) #8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.