Storage of Microsoft Oauth2 access token and refresh token

Question

I have a question i managed to get access token and refresh token that allows me to access users data from Microsoft Calendar API,and currently the only thing i'm facing is does Microsoft provide any method of secure storage of tokens at their endpoints side something similar to googles:

AppEngineDataStoreFactory.class

Any solutions for best practices or similar suggestions,i would avoid to store on file or in memory the tokens.

Thanks.

Answer 1

For this case, I would recommend MSAL , Microsoft's authentication library that simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. When using MSAL, token caching, refreshing, and silent acquisition is supported automatically.

Here's a link to the MSAL for Java repository on Github: https://github.com/AzureAD/microsoft-authentication-library-for-java

Let me know if this helps.

Answer 2

The following recommendations assume you're using MSAL for acquiring your tokens.

1. First, design your app such that your MSAL token cache s adhere to security and performance recommendations: in web apps, use and store a separate token cache per browser session and account. ie, when you serialize/deserialize a token cache, it should be a token cache that is tied to that session only, and further, keyed to the account ID of the logged-in user.

2. Now, you can think about where to persist your token cache. There aren't any hard-and-fast rules for which datastore to use, so you can choose whatever fits your needs.

3. Lastly, and most importantly, store the token cache securely. Use strong encryption, limit access to the stored data to only your web app, and protect your encryption keys. You can use Azure Key Vault for getting and storing encryption/decryption keys.