Storing Google OAuth Tokens
The docs say to securely store tokens:
https://supabase.com/docs/guides/auth/social-login/auth-google?queryGroups=environment&environment=client#saving-google-tokens
but don't explain how.
What's the recommended way of doing this?
So far, sign in w/ supabase auth + google oauth is working well and i can use the tokens to access api functionality but I need to store them else i have to relogin everytime. (This is a next.js project w/ supabase auth and DB btw)
From my understanding and research the two ways to do this securely are through browser in-memory storage or saving encrypted tokens to the database and linking them user. I'm not sure this is correct though.
Are there any docs/examples/guides on how to store these tokens safely and correctly? Would love to know I'm implementing everything as intended and if theres a choice I need to make (and the tradeoffs between them).
Would love to have an official method added to the docs so I know what the suggested best practice way is!
11 Replies
There is no such thing as an official method. This isn't a Supabase specific thing and as your research has shown you can save your tokens in your database encrypted. You can store it in a secret management system, you can store it in redis, you can basically store it anywhere you know is secure.
Do you know of any good guides/examples/tutorials?
This seems like something that you probably don't want to make up yourself randomly or hack together no?
There should be plenty info on this on Google. There was a really good tutorial years ago when I was doing PHP but I dont have that link anymore.
I've been looking around for a couple days but the best i've found was the auth0 docs:
https://auth0.com/docs/secure/security-guidance/data-security/token-storage
which explains some stuff regarding in-memory but nothing regarding storing in the database (which from what I understand is necessary if you also want to take actions for them?) or how to deal with refresh tokens.
That's why i was hoping there would be something in the supabase docs (because i feel like this must be sort of common?)
I understand it's not a 'supabase specific' thing but is it not always better to provide tutorials/quickstarts/etc of some sort?
I think almost all OAuth providers prohibit you taking action for a user with their access token.
i might have misunderstood then - whats the benefit of saving it in the database?
So that the user can access them at a later date. Moreso the refresh token. I think this thread on reddit explains quite well on how to store them https://www.reddit.com/r/django/comments/l0fsjo/how_to_securely_store_oauth_2_access_and_refresh/
But what would be the benefit of storing it in the DB vs storing it in browser memory? And thank you! I'll check it out
What do you consider to be browser memory?
sorry i meant browser in-memory like the auth0 docs mentioned ^^