I'm developing a portal where users can log into their Gmail accounts to send and receive emails. The authentication process is handled via OAuth2, and I'm using JWTs for authentication within my application.
After a user successfully logs in and authorizes my application, they obtain an access token and a refresh token from Google's OAuth2 server. Now, I'm unsure about the best practice for storing these tokens securely.
Should I include the access and refresh tokens within the JWT issued to the user upon authentication, or is there a better approach? If storing them within the JWT is not recommended, what alternative methods should I consider to ensure security while allowing seamless access to Gmail's API?
I was trying to store the tokens into the database, but I read its not recommended cause it might go stale.