Where and how do I store an access token?

Question

I am using the IGDB API. It has recently changed to require OAuth tokens for authorization.

This is the structure of the returned token:

{
   "access_token": "prau3ol6mg5glgek8m89ec2s9q5i3i",
   "expires_in": 5587808,
   "token_type": "bearer"
}

My current method is to store the token in Firestore as a document and run a scheduled script everyday to see if the token is 24 hours or less from expiring. If so, the script would replace the token in the database.

The API calls currently happen directly in the app, without a proxy, and would use the token stored in Firestore.

Am I over complicating this? Are there issues with this method?

Answer 1

It's impossible to say exactly what's right or wrong without knowing the full architecture of your application. But, if you check with OAuth 2.0 Threat Model and Security Considerations - Store Secrets in Secure Storage, it says following,

Moreover, most modern smartphone operating systems even support the storage of application-specific data in separate areas of file systems and protect the data from access by other applications.

and

Note: Applications should ensure that confidential data is kept confidential even after reading from secure storage, which typically means keeping this data in the local memory of the application.

So, make sure the access token is stored in a location which cannot be exploited by a different application running on the same system. Furthermore, make sure no malicious party can simply access this location and get hold of the access token. These are the recommendations you can follow.