Keeping Tokens Safe By being proactive, you can prevent the exposure of data by ensuring that our tokens are never exposed or stolen in the first place. Some steps you can take are to:
- Avoid sharing privileged information, such as Client Secrets or API Keys, on the client side.
- Encrypt token data both in transit and at rest.
- Tie Bearer tokens to user accounts to ensure the authenticated user is authorized to use a token.
- Ensure OAuth Redirect URIs point to specific URLs, instead of wildcard patterns that malicious users could potentially control.
- As an API provider, it’s best practice to either allow tokens to expire or provide a mechanism to revoke them. The client then uses a separate refresh token to request new tokens. This helps to prevent new users from using old rogue tokens.
Ensure Request ConfidenceIn addition to protecting the token itself, it’s often important to ensure the trustworthiness of requests and to neutralize threats before damage is done. Some helpful techniques include:
- Fingerprinting the client device or browser to increase confidence that requests are coming from the same trusted device/browser the token was first issued to.
- Setting up IP or role-based whitelists for accessing decrypted token data and performing API requests where appropriate.
- Set rate limits and alerts to guard against malicious attackers using compromised tokens to siphon large amounts of data. These circuit breakers are sometimes the first indication of a threat.
Minimize Damage from a Data BreachIn the event of a breach of a user’s account due to either party, you can take steps to ensure that the overall amount of data lost or the sensitivity of the data exposed is low. You can use the same concept of using one token to provision another to issue lower-scoped tokens that limit the level of access allowed:
- As an API provider, you can support token exchanges to allow clients to exchange a privileged token for a more appropriately scoped one with lower privileges. Check out Kloudless’ authentication to see how it works.
- As an API consumer that is consuming a service that allows token exchanges, you can exchange tokens for lower scopes or request minimal scopes incrementally as required.